o 
o 

(N 



o 

> 
o 



o 



KCQ: A New Approach to Quantum Cryptography 
I. General Principles and Key Generation * 

Horace P. 

Department of Electrical and Computer Engineering, 
Department of Physics and Astronomy, Northwestern University, Evanston, IL 60208 

A new approach to quantunr cryptography to be called KCQ, keyed communication in quantum 
noise, is developed on the basis of quantum detection and communication theory for classical 
information transmission. By the use of a shared secret key that determines the quantum states 
generated for different data bit sequences, the users may employ the corresponding optimum 
quantum measurement to decode the data. This gives them a better error performance than an 
attacker who does not know the key when she makes her quantum measurement, and an overall 
generation of a fresh key may be obtained from the resulting advantage. This principle is illustrated 
in the operation of a concrete qubit system A general information-theoretic description of the 
overall approach will be presented, and contrasted with the detection/coding description necessary 
for specific protocols. It is shown that the attacker's error probability profile is needed for a 
complete assessment of her information on the generated key. The criterion of protocol efficiency 
and its sensitivity to system parameter fluctuation is proposed as another benchmark on the 
evaluation of key generation protocols. For systems described by infinite-dimensional state spaces 
referred to as qumodes, KCQ key generation schemes with coherent states of considerable energy 
will be presented together with corresponding security analysis. Various advantage enhancement 
and randomization techniques are introduced for improving the security and efficiency of such 
protocols. A specific m-ary coherent orthogonal signaling scheme, CPPM, is presented that can 
yield efficient secure key generation over long-distance telecomm fibers using conventional optical 
technology. The issue of secrecy in direct encryption using KCQ is also discussed in general and in 
connection with the arj protocol, on which experimental progress has been made. It is indicated 
that information-theoretic security against known-plaintext attack is possible, which has never 
been suggested for any cryptosystem. In particular, it is shown that CPPM offers information- 
theoretic security against known-plaintext attacks while the data are unconditionally secure. 
Some qualitative comparison among the different key generation schemes are made from both a 
fundamental and a practical viewpoint. Further quantitative development, the detailed analysis of 
direct encryption, and the effects of various advantage enhancement techniques would be presented 
in future papers of this series. Some apparent gaps in the unconditional security proofs of previ- 
ous protocols are indicated in Appendix A. The core of the paper is contained in sections III and VI. 
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I. INTRODUCTION 

Quantum cryptography, the study of cryptographic 
protocols with security built on the basis of quantum 
effects, has been mainly developed along the line of the 
original BB84 protocol j3| and its variations The 
focus is on key generation (key expansion H^), the es- 
tablishment of a fresh key Q between two users, which is 
often referred to in the literature as quantum key distri- 
bution "65"! . Without the use of quantum effects, it was 
known that (classical) key generation is possible when- 
ever the user and the attacker have different observations 
(ciphertexts) from which the user can derive a perfor- 
mance advantage 0, a process to be referred to 
as advantage creation |66||. In BB84 type [g^ quantum 
cryptographic schemes, advanta ge c reation is obtained 
through intrusion-level detection [63 that quantitatively 
assures the attacker's observation to be inferior to the 
users', thus allowing privacy distillation (amplification) 
to essentially eliminate the attacker's information on 
the final key generated. Classically, this approach can- 
not succeed because the attacker can always, in principle, 
clone a copy identical to the user's observation, and no 
advantage can possibly be created. Quantum mechani- 
cally, there is a general tradeoff between the attacker's 
disturbance and her information on the user's observa- 
tion. By estimating the intrusion level, the user can 
(probabilistically) assure a better observation for decod- 
ing the original data, from which a fresh key may be 
generated. 

There are several problems, in theory and in practice, 
with the BB84 type quantum protocols. Among 
them are the necessity of using weak but accurate signal 
source, a near perfect transmission line, sensitive and fast 
quantum detectors, as well as the difficulties of having 
appropriate amplifiers or repeaters to compensate loss, 
developing specific practical protocols with quantfiable 
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security against all realistic attacks, and achieving rea- 
sonable efficiency with such protocols. These problems 
are summarized in Section VIII and a few hitherto un- 
analyzed problems are summarized in Appendix A. As 
a consequence, the usefuhress of BB84 type protocols is 
severely curtailed, especially for commercial applications. 
Most of these problems can be traced to the need of mea- 
suring the intrusion level for balance between the user 
and attacker's information on the data, and the neces- 
sity of using weak signals. In this paper, a new type of 
quantum protocols, to be called KCQ (keyed communi- 
cation or keyed CDMA in quantum noise), is presented. 
They do not need to involve intrusion-level detection and 
permit the use of coherent states with considerable en- 
ergy, thus alleviating the above problems. They can be 
implemented using optical technology and readily inte- 
grated with existing optical communication formats. It 
is hoped that they would quickly bring quantum cryp- 
tography to practical application. 

The basic idea of KCQ is to utilize a shared secret 
key between the users to determine the quantum signal 
set to be chosen separately for each information se- 
quence, the quantum noise being inherent in the quantum 
signal set fror n q uantum detection and communication 
theory 0, 0, 0, . Such shared secret keys have also 
not been used in classical key generation • On the other 
hand, the use of a shared secret key is necessary in BB84 
type protocols and classical public discussion protocols 
[3 for the purpose of message authentication or realizing 
the public channel. In contrast, a shared secret key is uti- 
lized in an essential way on KCQ protocols, but a fresh 
key can be generated that is much larger than the secret 
key used during key generation. For KCQ key genera- 
tion, advantage creation is obtained from the different 
optimal or near-optimal quantum receiver performance 
between the user who knows the key and the attacker 
who does not when she makes her quantum measure- 
ment, even when a copy of the quantum signal is granted 
to the attacker for the purpose of bounding her informa- 
tion without intrusion-level detection. This difference in 
performance has no classical analog. The KCQ approach 
evolves from the anonymous key encryption method de- 
scribed in Ref. 0| . Exactly how and why this approach 
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works is explained both generally and concretely in this 
paper. 

In practice, infinite dimensional state spaces to be re- 
ferred as qumodes provide the standard framework for 
describing coherent-state laser signals. As in classical 
communication systems, qumode systems allow the sup- 
pression of errors with signal energy without error con- 
trol coding that may complicate security proofs and hin- 
der the development of specific protocols. Also, KCQ 
can be used for direct encryption, which has different 
security performance criteria for key generation apart 
from the inefficient one-time pad approach. The basic 
use of KCQ in binary and m-ary detection of coherent- 
state qumode systems will be described. In particular, 
a specific coherent pulse-position modulation scheme, to 
be called CPPM, is shown to have many dramatic char- 
acteristics including automatic privacy distillation, se- 
cure key generation and data transmission over long- 
distance telecomm fibers, and information-theoretic secu- 
rity against known-plaintext attacks. This last character- 
istics is impossible in conventional cryptography, the pos- 
sibility of which has also never been suggested in quan- 
tum cryptography. These qumode results are presented 
in sections V and VI, and direct encryption briefly de- 
scribed section VII. They are qualitatively compared to 
other quantum key generation (QKG) schemes in section 
VIII. Detailed quantitative development of CPPM and 
other schemes for operation in realistic environment will 
be given in the future. 

Key generation via KCQ on qubits is developed in Sec- 
tions II. In Section III, a general analysis of the KCQ ap- 
proach and QKG security against joint attacks are pre- 
sented with the more complete criterion of error profile 
instead of mere mutual information. A protocol efficiency 
criterion on QKG protocols is introduced in Section IV, 
which should be insensitive to system parameter fluctua- 
tion for a protocol to be realistically useful. In Appendix 
A, we briefly discuss some serious gaps in the QKG un- 
conditional security proofs against joint attacks given in 
the literature. In Appendix B, we respond to several 
criticisms on at], a coherent-state KCQ scheme for direct 
encryption upon which significant experimental progress 
has been made. For readers who want to go directly to 
the core of our new results, please read sections III, V, 
and VI. 



II. KCQ QUBIT KEY GENERATION 

We consider a specific KCQ qubit scheme for key gen- 
eration, to be called qk, to introduce and explain the 
characteristics of the KCQ approach to quantum cryp- 
tography. 

Let an arbitrary qubit state be represented by a real 
vector on the Bloch-Poincare sphere. As depicted in Fig. 
1, an even number of M points uniformly distributed on 
a fixed great circle on the sphere, corresponding to M/2 
possible orthonormal bases, are used as possible quan- 



tum signal states for the bit value b = 0, 1. The oppo- 
site points on a diameter of the circle for a given basis 
are the two orthonormal states for the two possible bit 
values. The two neighbors of each of the M points are 
taken to represent a different bit value. A shared secret 
key K between two users, Adam (A) and Babe (B), is 
used to select a specific basis for each qubit. A secret 
polarity bit may also be introduced to be added to the 
data bit for randomizing the polarity of the basis. In- 
stead of using the same K for each b, a long running 
key K' obtained from the output of a standard (classi- 
cal) encryption mechanism with K as the input may be 
used to yield different basis selection and polarity bits 
for different b's in an n-sequence of input data A"„. This 
is depicted in Fig. 1 where, e.g., the ENC box may rep- 
resent a synchronous stream cipher or even just a linear 
feedback shift register (LFSR) for the key extension [tJ . 
Thus, generally a total of 1 log2(M/2) bits from K' 
would be used to determine the polarity bit and the se- 
lection of one of M/2 possible bases. 

The key generation process goes as follows. Adam 
picks a random n-bit data sequence Xn, modulating n 
corresponding qubits by using K' to determine the po- 
larity and basis for each qubit. Babe generates the same 
K' to decide on the quantum measurement basis for each 
b in Xn, and decode the bit value by the corresponding 
measurement. A classical error correcting code (CECC) 
may be used on the n-sequence to eliminate noise in the 
system that may originate anywhere, including source, 
transmission line, and detector. Privacy distillation may 
then be employed to bring the attacker Eve (E)'s bit er- 
ror rate on the final key to any desired small level. 
Intrusion-level detection is avoided by granting E a full 
copy of the quantum signal for the purpose of bounding 
her information. Advantage creation is obtained from 
the different (optimal) quantum receiver performance, in 
an individual or joint attack, between B who knows K 
and E who does not. Further data and signal keyless ran- 
domization may be introduced by A to guarantee security 
against joint attack and to improve the key-bit genera- 
tion efficiency k^ff ■ Finally, the new key is verified to 
be correct by the use of another short key Ky , which may 
be done openly (publicly, i.e., the ciphertext is available 
to E). All these steps and features would be described 
and explained in detail in this and the following sections. 
There are significant theoretical and practical advantage 
of the qk scheme of Fig. 1 as compared to BB84. In par- 
ticular, it can handle all system imperfection and noise 
of any origin at the same time, and produce reasonable 
key-bit generation efficiency ^f^y 

The substantive use of secret keys in the key genera- 
tion process other than message authentication has been 
introduced before 14, 15, 17J, In particular, it has been 
used in |2 0] in selecting one of the two possible bases 
in BB84 for improving fc^yy , while keeping the other pro- 
tocol steps including intrusion- level detection intact. In 
contrast, the security of our KCQ scheme is derived from 
a different quantum principle, the difference in optimal 
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FIG. 1: The qk scheme. Left — two neighboring bases, I and II. Right — overaU encryption involves modulation with bases 
determined by a running key K' generated from the seed key K via an encryption mechanism denoted by the box ENC. 



quantum receiver performance with and without the key, 
rather than the information/disturbance tradeoff under- 
lying BB84 and related schemes. Our use of a long run- 
ning key K' and large M is not only essential in obtaining 
high k^f.ff^ it is also essential for obtaining complexity- 
based security against known-plaintext attacks when KQ 
is used for direct encryption. It also plays a role in yield- 
ing reasonable key generation rates for coding-theoretic 
protocols with unconditional security. In contrast, the 
unconditional security proof described in Ref. \u\ is 
not complete even with intrusion-level detection, due to 
the quantum state correlation or memory among differ- 
ent qubits induced by the shared secret key, in addition 
to the previous problems in such security proofs are de- 
scribed in Appendix A. Indeed, it is a major problem in 
using a secret key that one needs to show there is a net 
resulting key generated after subtracting the original key 
used, or that the system is somehow worth the \K\ cost. 
Most significantly, the use of shared secret keys in our 
KCQ approach makes possible the development of large- 
signal schemes with conventional optical technology as 
described in sections V and VI. 

We first analyze the security of the above qk scheme 
under joint attack on the seed key K and a specific kind 
of individual attack on the data X, given the quantum 
ciphertcxt. In contrast to data encryption, there is no 
known-plaintext attack Q in key generation because one 
presumes A can generate completely random data bits 
unknown to both B and E a priori. The problem of 
how this can be done at high rate is a separate issue 
common to every kind of cryptography. The term 'in- 
dividual attack' is ambiguous, but the attack considered 
in the quantum cryptography literature under this la- 
bel usually refers to the situation where E prepares the 
probe/interaction to each qubit of the quantum signal se- 
quence individually and identically, measures each of her 
probe individually and identically, and processes the re- 
sulting information independently 72] from one qubit to 
the other. Since, for bounding E's information, we grant 
E a copy of the quantum signal sequence, the optimal 



performance of which clearly provides an upper hound on 
E's performance with an actual inferior copy obtained 
via a probe, there is no question of probe/interaction in 
the attack on such systems, only individual-qubit ver- 
sus collective measurements. Possible disruption of the 
signal by E will be discussed in Sections III.F. The indi- 
vidual attack on the data analyzed quantitatively in the 
following is of the same nature as that in the BB84 liter- 
ature [21 , namely a constant measurement on each qubit 
and independent processing. We will call such attacks 
constant individual attacks. 

Such an attack does not include all possible attacks 
within a reasonable limitation on E's technology, in both 
the BB84 and our schemes. If one may limit E's measure- 
ment to individual qubit ones, perhaps because measure- 
ment across many qubits is difficult to make 73], there 
is no reason to limit E's classical processing after mea- 
surement to qubit-by-qubit separately, except for ease of 
analysis! A more detailed general classification of attacks 
and their analysis will be provided in the future. 

Generally, let be the quantum state corresponding 
to the data x [TJ] (si ngle bit or a bit sequence) and run- 
ning key sequence k [73 that is used to determine the 
basis and/or polarity of the qk scheme for that length 
of X. For M/2 possible bases and a single bit x, there 
is 1-1- log2(M/2) bits in k for both basis and polarity 
determination. Each can be represented as a real vec- 
tor |r^) of norm 1 on the great circle, the angle between 
any two nearest neighbor vectors is 2tt/M radian. The 
quantum ciphertext available to E for upperbounding her 
performance is where both x and k are random. 

For the purpose of attacking the key, the quantum ci- 
phertext reduces to p'' = '^xP^p'i where Px is the a 
priori probability of the data x. By an optimal mea- 
surement on the qubits, the probability of correctly iden- 
tifying the key is obtained from p*' via quantum detec- 
tion theory. We may let x be any n-sequence, so that 
P^x — Pxx ® ' ' ' ® Px„- Let Px = 1/2" for each n-bit se- 
quence. It is easily seen from the quantum modulation 
format that J^xP^Px ~ ®"(-f/2) where / is the qubit 
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identity operator, irrespective of the nature of k. Thus, 
p'^ is independent of k and the quantum ciphertext pro- 
vides no information on k at aU. Specifically, any pro- 
cessing on p'' yields an a posteriori probability on k equal 
to the a priori probability pk, which may be chosen to be 
uniform for maximum security. 

Consider now the attack on through the decision 
on X from measurement on the quantum ciphertext in 
state Px = J2kPkPx- Fo'" individual attacks of the kind 
described above, one obtains px corresponding to a single 
bit by tracing out the rest of the data sequence. When 
a polarity bit is used from k, it is easily seen that E's 
bit error probability is = 1/2 by averaging on the 
two polarities alone. When the polarity bit is not used, 
pi and po are different. The optimum is given by 
(1/2) — (1/4)1 — Pol |i ^1^, in terms of the trace distance 
1 1 Pi — Polli between pi and po, which can be explicitly 
evaluated for a single qubit, with resulting 
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This PI goes as ^ — for large M and can thus be 
made arbitrarily small. 

That it is unreasonable to consider only such limited 
individual attacks can be seen as follows. Suppose a key 
fc of l-|-log2(Ai^/2) bits is used repeatedly to determine 
the polarity and basis choice of each qubit state in a se- 
quence. Even though the above individual attack error 
rate for E is the ideal 1/2, in actuality E has a prob- 
ability 2~l'^l, |fc| = number of bits in k, of completely 
decrypting x by guessing k and using it on every qubit 
|76|. In a similar way, the same problem arises for a 
running key obtained from a short seed key K. That 
is, the correlation between bits in x due to k can be 
exploited by joint classical processing [f^l on individual 
qubit measurements. The presence of the encryption box 
in Fig. 1 does not improve the situation fundamentally 
for information-theoretic security even if the seed key K 
is long, because E can generate K' from a guessed K as 
the encryption mechanism is openly known 't^. Before 
we discuss general joint attacks in the next section, a 
number of issues on the above development would first 
be cleared up. 

First, aside from information-theoretic security issue, 
the encryption box in Fig. 1 always increases the secu- 
rity of qk through physical and computational complex- 
ity, and it also increases the efficiency of key-bit gen- 
eration fundamentally. Since there is often a trade-off 
between security and efficiency, increasing the efficiency 
without compromising security is in a sense increasing 
security (for a given efficiency). Suppose the encryption 
box is a stream cipher that outputs a long running key 
K' from a seed key K . If it is a maximum length LFSR 
of \K\ stages, then K' up to length 2^^^ is 'random' in 
various sense, even though an exact knowledge of K' of 
length 2\K\ is sufficient to determine K uniquely from the 
Berlekamp-Massey algorithm . If X is used repeatedly 



without K' in Fig. 1, the p^ would be correlated by 
the repeated k for short x-sequence, with any reason- 
able \K\ and M . A joint (measurement) attack can then 
be launched much more easily because the physical com- 
plexity - in this case the correlated qubit measurement 
- needed is much smaller than the one that comes from 
a long K' from the same K. While K' is not open to 
observation in the present case [79| . computational com- 
plexity obtains in any event when one attempts to corre- 
late the different bits in x through the unknown key |8Clj| . 
Computational complexity is an excellent security mech- 
anism if can be shown to be exponential, as the Grover 
search can only reduce the exponent by a factor of 1/2. 
Long keys with \K\ ^ 10'^ can readily be used in stream 
ciphers, and searching 2^"*^ items is already far beyond 
the capability of any imagined quantum computer. In 
conventional cryptography [sij , many stream ciphers are 
used by themselves as the complete security mechanism. 
It can be incorporated in schemes such as Fig. 1 or the 
qumodes schemes of Refs. [3113 to increase the overall 
security in direct encryption. 

Second, if cloning is possible so that 21-^1 copies of the 
quantum ciphertext are available, there is no possibility 
of key generation in principle. This is because E can use 
the 2l^l different keys on the different copies, narrowing 
down the data to exactly 21-^1 possibilities correspond- 
ing to the key uncertainty. She can then follow what- 
ever processing the users employ on her own data, and 
the users have succeeded only in obtaining a derived key, 
not a fresh one, whose randomness comes entirely from 
the original key without forward secrecy. This also ex- 
plains why no key generation is possible when the user 
and the attacker have the same observation. Note, how- 
ever, the difference between cloning and having one full 
copy. Having one copy is equivalent to the classical situ- 
ation where many identical copies can be made, because 
together they do not tell the input data better than just 
one copy. Quantum mechanically, the quantum uncer- 
tainty goes down with the number of copies available 
from the laws of quantum physics - indeed the state is 
in principle determined exactly, say by quantum tomog- 
raphy, with an infinite supply of identical copies. Thus, 
the classical analog of 'cloning' is the granting of one 
identical copy, not many ones as in full cloning. 

Third, the possibility of attacking the data x is not 
completely described by px in general. This is because E 
knows there is a representation. Thus, she can attack 
the key via quantum measurement on part of the qubit 
sequence, and then attack the data with any knowledge 
she may thus learn. A similar but less serious situation 
occurs for attacks on the key via partial attacks on the 
data first. These possibilities, however, do not arise in 
the case of constant individual attack. 

Before turning to joint attacks, it should be noted that 
security results against individual attacks are far from 
useless. In practice, a joint attack may require corre- 
lated qubit measurement, as the qubit states are corre- 
lated through the running key K' . Thus, the physical 
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complexity of such quantum measurement and the com- 
putational complexity introduced through the encryption 
box would provide very significant security against at- 
tacks that can be realistically launched in the foreseeable 
future. When joint processing of the individual measure- 
ment results is performed, the quantum noise introduced 
in such individual measurement already yields a noisier 
copy for the attacker that allows advantage distillation 
by the user. This would distinguish our cryptosystem 
as a truly quantum one that has no classical analog, and 
give real meaning to the security claim against individual 
attacks. Performance under different types of such 'indi- 
vidual attacks', including ones involving adaptive qubit- 
by-qubit measurements, will be presented in the future. 

Consider the operation of qk of Fig. 1 for a perfect 
qubit channel, under joint (collective) attack by E where, 
as a performance bounding technique, she is supposed 
to have a full identical copy of the n-sequence quantum 
state as B. She has to make a quantum measurement, 
however, without knowing the key which she may pos- 
sess later — see section III.B for a complete description. 
Here we would observe that she would not be able to 
make a perfect decryption with probability equal to 1 for 
any finite n. After whatever quantum measurement on 
the n-qubits she made, she still would not be able to make 
a perfect decryption if K is then given to her. This is be- 
cause a perfect decryption occurs when and only when 
the measurement she made is exactly that prescribed by 
K. This shows that an advantage is created which may 
lead to an unconditionally secure protocol with or with- 
out the use of further channel coding, as shown in sec- 
tion III.H. When channel noise is present, a classical er- 
ror correcting code (CECC) on the quantum states may 
be employed and separate privacy amplification may be 
required. The exact quantitative performance will be de- 
tailed elsewhere. 



is crucial for a complete understanding of these sections, 
please see Ref. [I^ and references cited therein. For a 
development of optical communication theory that is im- 
portant in fully comprehending the details of how KCQ 
protocols work, please see also Ref. [STj . 

Consider an entire joint process of data transmission 
and encryption/decryption as described in Fig. 2. A 
sends an Z-bit sequence Ui and encrypt/encode it into 
an n-qubit or n-qumode sequence in state with the 
possible use of a shared secret key k with B, which may 
include a source code key K^^ a channel code key i^c, and 
a quantum state modulation code key Km- Classically, 
would be replaced by just an n-bit channel input se- 
quence Xn corresponding to the x in p^. The 'channel' 
represents all the interference from the system one has 
to suffer, with C/i* giving output qubit states for i = 
E, B. For E who does not know fc, the state is px upon 
which she picks a measurement on the basis of that and 
her later knowledge from all sources including public dis- 
cussion to produce an estimate K^^ of , the final key 
generated by A and B. For B who knows fc, the channel 
output state is p^ from which she uses her knowledge of k 
to obtain an estimate of up of Ui . Classically, the states 
would be replaced by the observations and F^, the 
disturbed output of X„. Quantum mechanically, they 
are the results of corresponding optimal or near-optimal 
measurements on the qubits or qumodes from which the 
estimates tjp are made. One may first consider, for sim- 
plicity, that is obtained without knowledge of Km- 
More generally, one may split into parts from which 
attacks on x and on k are interwined. Privacy distillation 
may already be incorporated in this process, or may be 
added to Ui and - The use of such an approach for 
direct encryption is briefly treated in section VII. 

The essential steps in the operation of a KCQ key gen- 
eration protocol involve 



III. GENERAL PRINCIPLES OF KCQ KEY 
GENERATION 

In this section, the basic principles underlying key gen- 
eration via KCQ will be explained. The general princi- 
ples of key generation will first be reviewed and analyzed, 
extending the usual framework to include shared secret 
keys and the more appropriate criterion of error profile 
in addition to and in place of mutual information. The 
quantum nature of KCQ will be pinpointed. The overall 
steps and structure of a KCQ key generation protocol will 
be exhibited, and the conditions for key generation estab- 
lished. Various basic conditions on key generation will 
be discussed, particularly in relation to the usual QKG 
approach. This section III and the later qumode key gen- 
eration section VI that gives the specific qumode QKG 
protocol CPPM may be regarded as the heart and brain 
of this paper. For a detailed review of the background 
in classical as well as quantum detection and communi- 
cation theory for classical information transmission that 



(i) The use of a shared secret key Km between A and 
B that determines the quantum states generated for the 
data bit sequences in a detection/coding scheme between 
A and B that gives them a better error performance over 
E who does not know Km when she makes her quantum 
measurement; 

(ii) A way for A and B to extract a fresh key from the 
above performance advantage; 

(iii) A key verification process using another shared 
secret key Ky between A and B. 

The main novelty and power of this approach, in prin- 
ciple, consists of 

(a) Performance advantage is derived from the differ- 
ent quantum receiver performance between B who knows 
the key Km when she performs her quantum measure- 
ment and E who knows Km only after she has made her 
quantum measurement. 

(b) No intrusion-level detection or even intrusion de- 
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FIG. 2: General keyed communication in quantum noise. 



tection is needed by A or B. 

(c) No public discussion is needed between A and B. 

(d) No separate privacy distillation, or reduction in the 
key generation rate due to any such equivalent operation, 
is needed in a properly designed system. 



The users derive from the generated string a generated 
key on which E's error probability profile satisfies a 
given security level. 



As a consequence, this approach makes possible the 
development of an efficient, secure key generation proto- 
col over long-distance telecomm fibers using commercial 
optical technology. In the following, these points will 
be fully explained and explicated. The contrast between 
KCQ and the usual QKG approach, both in theory and 
in practice, will be highlighted. 



A. Principle of Key Generation 

A key generation protocol with information-theoretic 
security, whether it is based on classical or quantum 
randomness, would consist of the following three logical 
steps: 

(i) Advantage Creation: 

The users A and B create a communication situation 
between themselves with an observed random variable 
1^ for B that leads to a better error performance than 
that obtained by E from her observed random variable 
and all her side information. 

(ii) Error Correction: 

The users agree on a generated string that is free of 
error with high probability if E is absent. 

(iii) Privacy Distillation: 



The first step (i) may be achieved classically in the 
presence of different noises for B and E's communica- 
tion channels with respect to A's data, using perhaps the 
help of public discussions between A and B . In the quan- 
tum key generation approaches so far, (i) is achieved via 
intrusion-level detection, explicit or implicit, that guar- 
antees that A and B have a better communication line 
than A and E in the sense of mutual information, which 
is also the privacy distillation criterion used in step (iii). 
The steps (ii) and (iii) could be combined by an error cor- 
recting code, quantum or classical, that simultaneously 
performs privacy distillation. This is indeed the way the 
usual QKG unconditional security (existence) proofs in- 
volving CSS codes mUlllllllEa are carried out. In 
QKG experiments to date, these steps are distinct and a 
separate privacy distillation code is employed whenever 
step (iii) is implemented. In our KCQ protocol called 
CPPM in section VI, step (iii) is automatically achieved 
in an ideal fashion from the m-ary signaling scheme em- 
ployed. More generally, we will show that privacy am- 
plification is unnecessary in most cases when the proper 
criterion of E's optimal error probability is used in place 
of her mutual information. 



8 



B. Advantage Creation with Shared Secret Key 

In the literatures |^ |^ , it was shown that if a situa- 
tion is obtained in which the mutual information between 
A and B, I{Xa', Yb) for the random variables Xj^ and Yb 
in A and B's possessions, is bigger than that between A 
and E, I{Xa; Ye), or that of B and E from the symmet- 
rically inter-changeable roles of A and B, key generation 
is possible. That is, an information-theoretic existence 
proof is given under the condition 

IiXA;YE) < I{Xa;Yb) (2) 

with the conclusion that an asymptotic key generation 
rate AI — maxpf^^) [^(^^j ^s) ^ I{^a',Ye)] is possible 
between A and B with the (total) amount of mutual in- 
formation E has on the key generated being arbitrarily 
small. In these results, there is no shared secret key be- 
tween A and B. 

Such results can be generalized to include the use of 
a shared secret key K as follows. E is going to observe 
her channel output Ye without the benefit of knowing 
K. However, one has to make sure that the result- 
ing generated between A and B is fresh, i.e., sta- 
tistically independent of K and E's observation Ye, i.e. 
I{K^;YeK) ^ 0. Indeed, E can try every possible 2l^l 
keys on her observation Ye to determine the possible 
Xa^s. a conceptually convenient way to characterize this 
situation is to give E the key K after she made her ob- 
servation Ye- Using the notation I{Xa; YeK) to denote 
her information in this situation where YeK denotes the 
joint random variables Ye and K, ^ generalizes to 

IiXA;YEK) <IiXA;YB) (3) 

In , B is of course supposed to know K when she plans 
to observe Yb- Classically, the condition |j3Jl may result 
if there is a limit on the data storage so that E cannot 
have the same observation as B who can just store the 
relevant data using the knowledge of K, as in the broad- 
cast scheme of Maurer. While the shared secret key K 
is what occurs in the above I{Xa;YeK) with which E 
may use to estimate in KCQ protocols, K may be 
interpreted as all the side information E obtains in other 
QKG protocols such as BB84, or as the missing informa- 
tion that allows the conditional entropy H{X\Ye, K) — 
in a classical random channel protocol. These useful in- 
terpretation would be used later. 

The following important relation between any three 
random variables should be noted: 

I{X;YK)=I{X-Y\K)+I{X-K) (4) 

In the KCQ context, I{X;K) = and I{X;Ye\K) can 
be used in lieu of I{X; YeK). However, the distinction is 
important and has various ramifications in the BB84 key 
generation when K is interpreted as E''s side information. 

Quantum mechanically, the knowledge of Km that 
specifies the mapping from classical data to quantum 



states would allow B to choose the optimum or near- 
optimum quantum measurement to discriminate among 
the data. Without knowing Km, on the average E would 
need to pick a quantum measurement that would allow 
her to make reasonable estimates for different fc^'s, which 
leads to an inferior performance compared to B for a spe- 
cific km- This situation clearly obtains when E does not 
have long-term quantum memory to hold her copy of the 
quantum signal before she has to make a quantum mea- 
surement to extract the information without knowing the 
key. In practice, the key Km can be erased or kept secret 
indefinitely from E, as E really would never have Km, 
and she has to make a quantum measurement without 
knowing K even if she has long-term quantum memory. 
Classically, there is no need for E to know K in order for 
her to be able to correlate in a definite manner the dif- 
ferent data connected by K, such as the different session 
keys generated from a master key. For example, with 
the observations of xi © fc and X2 ® k for two indepen- 
dent bits xi and X2 and a secret bit k, one knows exactly 
xi ®X2 while knowing nothing about k- In this quantum 
situation, however, such correlation cannot be obtained 
without quantum measurement on the quantum signals 
that E possesses. Thus, E has to suffer the uncertainty 
of picking her quantum measurement without knowing 
K even if she has long-term quantum memory. This 
is the principle underlying advantage creation in KCQ 
protocols. Note that this is a quantum effect with no 
classical analog, because classically E can always make 
a complete observation of her received signal in princi- 
ple. There would be no incompatible measurements as 
in the quantum case. The following intuitive result re- 
lated to the advantage of a shared secret key, as well as 
the average effect of side information or missing informa- 
tion, is useful in the analysis of classical and quantum 
key generation. 

Lemma 1: For any three joint random variables 
X,Y,K, 

I{X-YK)<I{X-Y)+H(K). (5) 

Proof- From I{X;YK) = H{X,K) - H{X\Y,K), 
® is equivalent to H{Y) + H{K) + H{X\Y,K) > 
H{Y\X) + H{X)- The left side of the last inequality 
is > H{X,Y,K) = H{X) + H{K\Y) + H{X\Y,K) > 
H{X,Y) = H{X) + H{Y\X), completing the proof. 

According to if Km represents the missing clas- 
sical information in a channel with random parame- 
ter that together with Ye yields correct decryption, or 
H{XA\YE,Km) — 0, then H{Km) is indeed the maxi- 
mum possible amount of missed information, which may 
not be large. For example, Km may represent the sig- 
nal phase or amplitude variation caused by a classically 
random channel. In the quantum case, however, no miss- 
ing information can make up totally the loss from Yb to 
Ye- There is irretrievable loss from the inferior quan- 
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turn measurement as the quantum copy is expended upon 
measurement. 



C. Eve's Information and Error Profile 

The security criterion for key generation, classical or 
quantum, has so far been limited to I{K3; Y^), the mu- 
tual information between Eve's observation Y^^ and the 
final key generated, with the provision that E's side 
information needs to be accounted for ^23]- Except in 
the hmit I{K9;Y,f) ^ which says that Rs and Y^ 
are statistically independent, the information-theoretic 
quantity I{K^; Y^) has no clear quantitative operational 
significance with regard to the usefulness of Y^ for Eve 
in a eavesdropping context. One such operational crite- 
rion is given by Eve's trial complexity Ct as measured 
by the average number of trials she needs to successfully 
use trial keys on the basis of her information. For ex- 
ample, when she knows nothing about K^, which she 
would guess in successive trials to, say, open a safe, she 
would need an average of C* = 2^^<'^~^ + l/2 trials to suc- 
ceed. It would also describe E's ability when she launches 
a known-plaintext attack on used in a standard ci- 
pher. In general, Ct depends on her exact error profile 
pik^, = K9\Y,f), the probability that given her informa- 
tion, each of the 21^9' guessed sequence K^^ is correct, as 
given in the following equation (|7|l. 

This error profile E can obtain herself from the con- 
ditional probability p{X a\Ye) , which is in turn specified 
by her channel transition probability, the a priori data 
probability, and the overall coding/communication for- 
mat including possible deliberate randomization by A. 
Furthermore, many different p{K'^ — K^\Yj^) leads to 
the same H{K3\Y^) or I{K3; Y^) = \K3\ - H{K9\Y,f), 
which alone is not sufficient to capture E's ability to 
use her information. In the case I{K^\Y^) — 0, 
p{k^j^ = Ka\Y^) = 2-1^"' for any It is not known 
how I{K^ : Y^) is related to Ct in general except in 
the asymptotic limit when E can encode or interpret 
I{KS;YjI^) via asymptotic equipartition ^S^l, which she 
cannot since she does not control A's data transmitter. 
One may lower bound E's average bit-error probability 
P^{K3) by Fano's inequality [s^, which is valid for any 
n-sequence Y^ that may possess correlations among its 
bit values. Let H2 be the binary entropy function. Fano's 
inequality gives, in the present situation, 

H2[P,^{K^)]>l-I{K^;Y,f)/n. (6) 

If I{K^;Y^) is exponentially small with exponent A, it 
follows from © that 1/2— P^{K^) is exponentially small 
with exponent A/ 2. However, the bit error rate is not 
really meaningful in this connection because the bits may 
be highly correlated in the way they affect Ct- 

The following analysis shows that I{K^;Yj^) is not a 
sufficient measure of E's capability unless it is really ex- 
tremely small. One needs to supplement it at least by 



pE = uiaxp{k'^ = K^\Y^), which is an important cri- 
terion in our KCQ approach. The error profile gives the 
probabilities pi > P2- ■■ > Pn, N = 2^^^^, for each of the 
N guesses K^. Thus, pe = Pi and the trial complexity 
Ct is 

N 

Cf = ^np„. (7) 

n=l 

Given that E has Ie bits of information on , with 
\K3\ = n, the largest pi that can be obtained is given 
by the error profile that spreads \ — pi among the 2" — 1 
other possibilities uniformly, i.e. , it is determined by the 
equation 

H2{pi) + (1 - Pi) log(2" - 1) = n - Ie. (8) 

Thus, pi ^ 2^' for Ie ^ n - 2~' and large n, and E needs 
only about 1 bit of information out of \K^\ = 100 for 
a possible error profile with pi = 10~^, a disastrous se- 
curity bleach. This most favorable situation for E with 
a given Ie may be contrasted with her most unfavor- 
able situation, where her 1 bit knowledge corresponds to 
knowing one bit of the |i^^'|-bit sequence exactly. 

As we have just seen from pi can be made about as 
large as the fraction of bits \K^\ that she knows through 
Ie- To ensure pi < 2~' through Ie, one needs to impose 
a strong requirement that I{K^;Y^) < n2~K In addi- 
tion to the necessity of assessing the actual minimum Ct 
attainable with a given I{K^\Yj^), the above condition 
on pi alone would lead to I ^ 100 for a truly secure sys- 
tem, which is practically very difficult to obtain on the 
basis of reducing I{K^; Y^) for realistic n. On the other 
hand, a more detailed assessment of the error profile or 
just pi would give a more accurate estimate of E's true 
ability to use her information than the mere I{K^\Yj^) 
as shown in the following. 

Under the condition pi < 2^', one obtains 

Lemma 2: 

When E's optimum estimate of has an error prob- 
ability Pf > 1 — 2^', her information on satisfies 
I{K3-Y^) <n-l,n= \K9\. 

Proof: 

Since pi < 2"', it follows that I < n. The maximum 
Ie is obtained when II({pi}) is minimized, which occurs 

at pi = • • • = Prn = 2"' for m = 2\ Pm+l = • • • = J32" 0, 

from the Schur-concavity 3(J] of H (which can actually 
be seen to follow from concavity directly). 

Although this bound is weak, it may be used to estab- 
lish the existence of secure KCQ protocols under rather 
general situations to be described in section III.H. Specif- 
ically, we take the approach that instead of Ie, Pe < 2~' 
has to he imposed, which leads to Ct > (2' -I- 1)/2 similar 
to Lemma 2. 

Lemma 3: 
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Let E's optimal estimate of have a success prob- 
abihty pE < 2~', then her trial complexity Ct is lower 
bounded by Ct > (2' + l)/2. 

Thus, regardless of her mutual information Ie-, Lemma 
3 guarantees E's trial complexity at a level that may al- 
ready be satisfactory, and does that without privacy dis- 
tillation. Note that a bound on Ct for given Ie can be 
obtained via ^ and Lemma 3. It follows from Lem- 
mas 2 and 3 that it is much more useful to impose a 
bound on pi < 2~^° for n = 100 that may correspond 
to Ie ^ 20, than a bound on < 1 that may corre- 
sponds to pi ^ 10^^. Furthermore, e.g., a system with 
\K\ - 20, 71 - 200, 1 ^ 100 would be quite useful regard- 
less of what Ie actually is. 

In view of our replacement of a constraint on Ie by 
that oi pE together with the corresponding elimination 
of privacy distillation, the following comment is in or- 
der. Privacy distillation moves E's uncertainty among 
n bits to n — I bits when Ie ^ I bits. If is to be 
used as one-time pad, such a move is necessary for near 
perfect security level. However, would often be used 
as a seed key in some other cipher. In that case the 
privacy distillation merely reduces the key size of K^, 
not its randomness to E as already observed in Ref. 
Particularly for stream ciphers which may have similar 
speed and complexity for different key sizes, it may not 
be worth the trouble to carry out any privacy distillation 
before the raw is used. 

In attacking a KCQ system, E may always guess the 
seed key Km and make corresponding optimum quantum 
measurements to decrypt the data. Her success proba- 
bility, however, is only pE = If she guessed the 
key Km incorrectly, the probability she would get Kg cor- 
rectly from is exponentially small in n because differ- 
ent keys km lead to different for the same data. Fur- 
thermore, she has only (at most) one copy of the quan- 
tum signal (with energy at the designed security level in 
the qumode case) to launch this attack once. This cor- 
responds to the above error profile with pi = 2~l^'"l but 
no more than one trial. Note that the seed key Km has 
to be guessed in total as it is not being used in a bit by 
bit or segment by segment manner. 

D. Key Rate of Secure Protocols 

As is evident form Fig. 2, E has to deal with the 
Xn chosen by A and has no independent way to en- 
code her own channel I{Xn;Yj^). Thus, by choosing 
a rate R in between jSJ and Q, one may be able to 
force the second term in A/ to be zero and obtain A/ — 
maXp^^Xn) I{Xn',Y^) as a consequence of the Shannon 
Coding Theorem and its Strong Converses 0,llE0j0| 
for memoryless channels. The Strong Converse states 
that the block error rate goes to 1 exponentially in the 
block length 0, 1^3 at rates above capacity, which may 
already imply I{Xn',Y^) ^ as will be seen in the 



CPPM scheme of section VI. When a shared secret key 
is used, the classical channels become ones with memory, 
and the corresponding; Coding Theorems and their Con- 
verse 38, 39] may be employed. Since such results 
on channels with memory are typically weaker quantita- 
tively, we may employ the memoryless results using the 
following approach. A may transmit at an input bit rate 
R satisfying 

I{X„; Y^K)/n <R< /(X„; Y^)/n (9) 

where I{Xn;Yn) refers to the mutual information be- 
tween n-bit sequences. Let independent keys Ki, i € 
{1, m}, be the secret keys used for the zth n-sequence 
each randomly chosen from {0, l}'^'. Then, by treat- 
ing each Xn sequence as a single word or symbol, we have 
created a memoryless channel on the symbols. This is 
because both E and B's channel transition probabilities 
for the different m symbols are the same, respectively. 
As a consequence, the memoryless Coding Theorem and 
its Strong Converse can be applied to yield the exis- 
tence proof of a code that generates arbitrarily close to 
mIiXn;Y^) bits. 

It should be noted that condition already includes 
the cost of the key \K\ for net key generation. If one uses 
instead the condition 

I{Xn;Y,f)/n <R< /(X„; F,f )/n (10) 

together with the net-key generation condition 

|i^| < A/ = /(X„;y„^)-/(X„;r„^), (11) 

it is more stringent than Q from Lemma 1 . If the system 
is information-theoretic secure against known-plaintext 
attacks for direct encryption, briefly discussed in section 
VII and treated extensively in Part II, the keys may be 
re-used because the different fresh keys generated from 
two different uses of K are independent of each other. In 
such a case, only condition (|10|l without condition Hll|) 
needs to be satisfied. If the Ki are not re-used, a net key 
generation rate is obtained under ||3Jl, or (fTUIl and ((TT|l . 

More generally, since the above strategy yields a block 
error rate > 1 - e"™^ where e is a characteristic of 
the channel that depends on n, and we have pE = Pi < 
g-me even when the error-free data is used as K^ without 
additional privacy distillation. Using lemma 2, we have 
also I{K^;Y^\K) < m{n~e). To summarize, using also 
lemma 3 we have 

Theorem 1: 

Under condition unconditionally secure protocols 
may be obtained via error correction coding but without 
further privacy distillation that satisfy 

Pi < e-™^ I{Xn;Ynl,\K) < m(n-e), Ct > (2™^ + l)/2. 

(12) 

where e > is determined from the channel specification. 
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Note that a net key can be taken as X„ or its pri- 
vacy distilled version with I{K9-Y^^K) guaranteed 
from H12|) only when \K\ < e. On the other hand, the 
security level (I12II itself may be satisfactory already. We 
use the phrase 'unconditional security' above in the usual 
sense, except that the security level is measured by pE 
and Ct rather than Ie- This represents a more efficient 
approach because, as we have seen in III.C, a bound on 
pE has to be imposed in any case. 

E. Specific Detection or Coding Scheme 

As in all the unconditional security proofs of QKG pro- 
tocols so far presented in the literature, the above devel- 
opment can only yield an existence proof of a secure pro- 
tocol, because no specific code has been given. For actual 
application, one would need to provide a specific coding 
or signaling scheme, in either classical or quantum key 
generation, and show quantitatively that Eve has little 
knowledge on K^. While I{K^; Y^), to be supplemented 
by E's side information, is a measure on E's information, 
it is not the most useful quantity to deal with as we have 
already seen above because E cannot encode. Indeed, as 
discussed in III.C, it is her error profile on obtained 
from , not just I{K3;Y^), that really matters. The 
appropriate measure to this end is her optimum block er- 
ror probability Pf{Xn\Y,f, K) given her observation and 
side information. For advantage creation, one wants to 
obtain the situation where 

pf (x„|r/, K) ^ 1, pf (x„|i;f ) ^ 0. (13) 

Condition H13|l is equivalent to the above coding-theoretic 
existence result when one argues, as in (|^, by coding 
on the n-bit symbols. In actual application, it may well 
occur that the users work with only a single n-bit symbol 
at a time, especially that already corresponds to n-bit 
coding. In such case, (0) or Q can be ignored and H13|l is 
the appropriate condition for advantage creation. Similar 
to Theorem 1, we obtain via Lemma 2 and Lemma 3. 

Theorem 2: 

For a detection scheme that has Pf{Xn\Yjf,K) > 
1 — 2~' while {Xn\Y^f) is error-free in the use, an un- 
conditionally secure protocol for the following fixed secu- 
rity level is obtained without further privacy distillation 
and with a key cost \K\, 

PE < 2-', I{Xn;Y,f\K) <n~l, Ct>{2' + l)/2. (14) 



Note that Theorem 2 is valid for a single use of the 
block detection scheme without further coding. As in 
Theorem 1, the scheme is certainly useful whenever < 
I if the resulting security level is satisfactory. To decrease 
I{K^; Yj^K), further privacy distillation may be needed, 
while no guarantee is offered in the theorem that a net 



key with Ie ^ can be obtained that is larger than 
\K\. However, in an appropriately designed scheme, it 
may already happen that Y^K) with a secure 

error profile without further privacy distillation. In such 
a case, the following bit-error rate condition holds with 
independent bit errors, 

P,^(X|y^, X) ^ 1 Pi^{X\Y^) ^ 0. (15) 

See section VI for an example of a specific protocol 
that displays such behavior under rather general attacks. 
Condition ((TB|l implies (fO)l . and can be taken as the ad- 
vantage creation condition at the bit level that requires 
no further privacy distillation for generating . 

Observe that in the security proof of a specific detec- 
tion/coding scheme, one must be careful to ascertain E's 
optimum block error by including her adaptive attacks, in 
particular ones via attacks on the key. Also, for a full se- 
curity proof one needs to solve the novel quantum detec- 
tion problem in which one chooses the optimum quantum 
measurement in anticipation of making a future decision 
on the basis of further information not available at the 
time of quantum measurement. However, such problems 
also occur in the usual QKG protocols even in the con- 
text of individual attacks, whenever a specific scheme is 
employed rather than a mere coding-theoretic existence 
claim. They have yet to be dealt with in the literature. 

F. Key Verification 

A final key verification process is needed in KCQ pro- 
tocols as compared to BB84. In this case, A or B uses 
the generated key to encrypt a fixed shared secret bit 
sequence i^T^,, which is perhaps the extended output of 
a fixed known transformation on some separate shorter 
shared secret key Ky, \Ky\ < \K'^\, and sends it to the 
other party through reliable communication. The en- 
cryption mechanism for getting K'^ via may be the 
same as Fig. 2 but used for direct encryption, thus no pri- 
vacy distillation and key verification would be involved 
there. It is also possible to reverse the above roles of Ky 
and in the verification, making it similar to a mes- 
sage authentication protocol on with a secret key Ky. 
When Ky is used as one-time pad to check an openly cho- 
sen random unkeyed hashed version of K^ of size \Ky\, 
the average probability that two different K^ are mis- 
takenly agreed upon is 2^1^'"!. This results from a ran- 
dom coding argument similar to the proof of the Shannon 
Channel Coding Theorem or the privacy distillation code 
performance theorem in Ref. |3]. The standard results 
on hashing collision "^l can also be used instead. If the 
users believe there is only a small number of errors in fc^, 
they may try to correct them via open discussion as in 
some BB84 protocols, via parity check or other methods. 

Given that a common key k^ is generated between A 
and B, it can be seen that E's information cannot be more 
than what she can get from one full copy of the quantum 
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ciphertext, which may be granted to her for the purpose 
of bounding her information. This is because whatever 
probe she introduced that may mess up the state B re- 
ceives, she cannot obtain more information than that of 
a full copy although she may introduce enough errors to 
make agreement between A and B impossible. Such a 
mess up, however, is not something A and B could avoid 
in the presence of even a 'passive' attacker that takes en- 
ergy out of the signal by tapping. Thus, there is no loss of 
generality in not being able to establish a key in the pres- 
ence of E, so long as the protocol is not sensitive as to be 
discussed in section IV. Also, E cannot correlate her own 
states and B's states to obtain information, as she does 
not know K and what states to correlate with. The prob- 
ability of such successful attack is small exponentially in 
the number of bits n. Thus, perfect forward secrecy of 
with respect to K is obtained, while both intrusion 
detection and intrusion-level detection are avoided. 



G. Advantage Enhancement 

Given that advantage can be created, it is possible to 
enhance it, i.e., decreasing the attacker's performance for 
a fixed user performance, by various techniques. These 
include first of all data hit randomization (DBR) , the use 
of a randomly chosen open or secret source code that 
re- arranges the Ui in Fig. 2. Secondly, one may employ 
deliberate error randomization (DER) , the addition of er- 
ror bits to B introduced deliberately by A with a corre- 
sponding error correcting mechanism such as a CECC on 
the quantum states. Thirdly, one may introduce chaining 
among the data and keys, i.e., the use of local feedback to 
make future transmissions dependent on past ones. Es- 
pecially when used in conjunction, such techniques could 
lead to a flattening of E's error profile for any fixed n, 
and hence her trial complexity Ct whether her entropy 
H{Xn\Yj^ ,K) is affected or not. 

In the classical situation where a fixed amount of 
missing information represented by Km can be used to 
uniquely specify the channel suffered by E as described in 
III. B, all such techniques cannot produce H{Xn\Yj^ , K) 
more than H{Km) from lemma 1. Nevertheless, such 
technique may still be useful in a given application be- 
cause \Km\ may be large or it may be difficult to ascertain 
exactly. Furthermore, this is not the amount needed to 
be provided as shared secrets between A and B. Quan- 
tum mechanically, there is no Km that can restore the 
data perfectly for E in a KCQ protocol. Thus, these 
techniques could increase the key generation rate beyond 
the original A/. In both the classical and quantum cases, 
such possibility arises because the joint probability dis- 
tribution of the random variables {Xa^Yb,Ye) are not 
specified a priori, but rather subject to the creation of 
communication lines between (A, B) and (A, E) in a given 
communication situation. 

Another technique for enhancing the advantage may 
be obtained as follows. Let 1 — A be the fraction of sys- 



tem splitted ofi' by E and A the one remaining for B. 
This can be easily quantified in qumode system via the 
signal energy, so that TyA is the total fraction received by 
B under the line transmittance r]. Let be the proba- 
bility that A and B verify that their generated keys agree 
with a fraction ryA of the signal received by B, and pf_x 
the probability that E correctly obtains the key with her 
fraction 1 — A. The strategy of granting E a copy of the 
quantum signal to bound her information is equivalent to 
the condition that E's probability of successful cheating 
Pe' Pe — Pv ' Pi ' small when A and B proceeds as if 
E were not interrupting in a KCQ protocol described in 
III. F. By making p^.^ small for A < Ao, a set threshold, 
p|; is modified to 

PE=P^X0-Ptx0- (16) 

This represents advantage enhancement since (|16|) is 
smaller than ■ pf . 

Two remarks on this technique are in order. First, un- 
der the use of which is a kind of pre-set automatic in- 
trusion detection, the cryptosystem becomes more sensi- 
tive and thus loses some of the robustness characteristics 
of KCQ protocols. Second, this technique may be con- 
sidered as one of advantage creation, because the user's 
performance may be correspondingly lowered with the 
decrease of the attacker's performance. 

H. Overall KCQ Protocol 

Schematically, a KCQ protocol corresponding to the 
communication situation of Fig. 2 may be summarized 
as follows. 

Generic KCQ Protocol: 

(i) A picks a random bit sequence Ui, encodes and 
modulates the corresponding n qubits or n qumodes as 
in Fig. 2, with a total secret key K = {Kg, Kc, Km, Ky) 
shared with B. 

(ii) From Km, advantage creation is achieved via the 
different error performance obtainable by B and E who 
does and does not know Km at the time of their quantum 
measurements. 

(iii) Advantage enhancement and privacy distillation 
may be achieved with appropriate system design, delib- 
erate randomization and chaining techniques, so that a 
substantial net key can be generated on which E has as 
little information or as large an optimum error probabil- 
ity as desired. 

(iv) A and B verify that they agree on a common K^ 
by using it with the secret key string Ky. 

It is important to note the crucial role of the key ver- 
ification process in the overall protocol. If E messed up 
the state B receives, it produces no effect on the security 
of the protocol if the key is verified because E cannot in 
any case have more information on the correctly agreed 
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key than what she can get from one full copy of the quan- 
tum signal, exponentially probabilistically. If the system 
is designed to be not sensitive to small disturbance, as 
any practical system must be, it is perfectly fine that the 
presence of E would disrupt the key generation process so 
that the key is not verified. On the other hand, there are 
problems in QKG protocols with intrusion-level detection 
not to be elaborated on section IV. 

We have explained the above steps that may enhance 
the advantage and improve the efficiency and security of 
the protocol. A full treatment of specific schemes will 
be given in the following and in Part II. By combing the 
analysis of sections II and III, we have 

Theorem 3: 

In the absence of channel noise, the protocol qk of Fig. 
1 allows unconditionally secure key generation for any 
fixed n-sequence with a security level given in the form 
(|12|l without further privacy distillation. 

Proof. We have seen in section II that E's error prob- 
ability is bounded away from zero for any n, while B's 
is exactly zero, and the key K is completely hidden with 
the quantum ciphertext alone. Thus, the above generic 
KCQ protocol would generate a fresh key. By coding as 
in Theorem 1 , the security level H12|l is obtained where e 
depends on the encryption mechanism and the state p^. 

Intuitively, one may expect that H{K\Xn,Yj^) would 
remain substantial in qk even for large n, and also that 
H{Xn\Y^ , K) is large. However, in the absence of either 
a security proof against known-plaintext attack or a proof 
that /(X„; Y^K)/n can be made sufficiently small. The- 
orem 3 is not sufficient to guarantee a nonzero net key 
generation rate that E knows essentially nothing about. 
On the other hand, the bounds on Pe and Ct should 
be sufficient. A similar result would hold in the pres- 
ence of channel noise, but a rigorous proof requires new 
techniques to be presented in Part II. 

More generally, secure protocols can be created by us- 
ing quantum entanglement as follows. For each n-bit 
data sequence a;, let 2^^^ mutually orthogonal states in 
(^i=iHi be the possible pj: corresponding to different val- 
ues of K, \K\ < n. Each individual state space Hi may 
be of any dimension. There exist many such modulation 
formats where the resulting = J2k Px ^I's not mutually 
orthogonal for different x. We have 

Theorem 4'- 

In the absence of channel noise, a KCQ protocol em- 
ploying the above state modulation allows uncondition- 
ally secure key generation for any fixed n-sequence with 
security level given by H12|) without further privacy dis- 
tillation. 

Proof. 

From Lemma 1, I{Xn;Yn\K) as obtained by opti- 



mizing over all E's possible quantum measurements is 
bound by H{K) -|-/(X„; F„), obtained by the same mea- 
surement. From Holevo's inequality [33], /(X„;y„) < 
^(^xPxPx) — J2xPx^{Px)- From the above modulation 
format, S{Y,^p^p^) < n while S{p) = \K\ = H{K). 
Thus, condition Q is satisfied and unconditionally se- 
cure protocols exists, via coding n-bit blocks described 
in III.D, with a security level given by ()12|l . 

For both Theorems 3 and 4, the system could be useful 
for any |i4r| < n while the \Ky\ cost is negligible for large 
TO, but the net key generation rate is not guaranteed to 
be nonzero if I{K^; Y^) has to be made extremely small. 
Note that the possibility of security proof for QKG re- 
lies on the claim that all the possible useful actions of E 
have been exhausted. That this is true in any particular 
protocol has to be ascertained carefully. We assert that 
this is the case for KCQ protocols described in this sec- 
tion and section VI, as long as the model is taken to be 
a valid description of the real situation [s^l . 

Note that although security against attacks on the key 
is automatic in qk, it is not in a general KCQ system. 
Even with key security on quantum ciphertext-only at- 
tacks, one needs to consider situations where some knowl- 
edge on the data x is obtained from a partial attack on 
p^, and then an attack on the key k is launched with 
such knowledge, and then on x again, etc. The system 
is not fully secure unless the key is secure against such 
'statistical attack'. This problem also occurs in BB84 
type QKG when the generated key is used later for 
direct encryption. Even for the one-time pad mode, a 
known-plaintext attack can be launched to learn part of 
K^, and knowledge on the rest may be obtained by E 
from this and her probe information. These problems 
will be analyzed in detail in part II. 



I. Unconditional Security and System 
Implementation 

Unconditional security (US) in QKG is usually taken 
to mean security against all possible attacks allowed by 
the laws of physics (and logic), at a level that can be 
made arbitrarily close to perfect. In particular, it would 
imply security against an attacker that has unlimited 
computational power and hence can perform any ex- 
haustive search. Unconditional security must therefore 
be information-theoretic, not complexity-based, security. 
The term has, lately, often been used in a weakened 
sense, such as 'unconditional security against individual 
attacks'. As long as the security claim is precisely spelled 
out, the terminology issue is secondary. Since the secu- 
rity is only as good as the mathematical model being 
valid at the time of system use, it is useful to consider 
various different qualitative degrees of unconditional se- 
curity, especially in commercial type applications. As a 
matter of fact, the experimental development of QKG is 
still struggling within the realm of individual attacks, the 
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justification being that it is physically complex, and cur- 
rently practically impossible, to launch more general at- 
tacks. In this paper, various weaker claims of security are 
also considered, especially for specific quantifiable proto- 
cols. 

In the presence of system imperfection including those 
arising from the source, transmission line, and detector, 
we separate out E's disturbance and call the rest 'chan- 
nel noise' and 'channel loss', as is common in communi- 
cation theory. In a situation intended for cryptographic 
applications, one first determines what this actual chan- 
nel including all these imperfections is, as characterized 
by the channel parameters in a canonical representation 
with some confidence interval estimates on these param- 
eters. To guarantee security, advantage creation is to be 
obtained under the following Advantage Creation Prin- 
ciple for unconditional security. 



(US) Advantage Creation Principle: 



All the noise and loss suffered by the users are assumed 
absent to the attacker, except those arising from a fun- 
damentally inescapable limit or introduced deliberately 
by the user at the transmitter. 



Generally, advantage creation is obtained from the dif- 
ference between which includes all the chan- 
nel disturbance not counting E's for KCQ schemes and 
which is obtained from p"^^ after disturbance by E for 
BB84 type schemes, and K) which includes all 
the irremovable system disturbance to E. There should 
be a sufficient margin between Y^) and i? of © in 
a coding based KCQ scheme so that the protocol is not 
sensitive to small fluctuation in channel parameters and 
small disturbance by E. Thus, it is evident that even if 
one can in principle get R close to I{Xn\ Yj^), AI deter- 
mines the levels of channel parameter fluctuation and E's 
disturbance that can be tolerated for an efficient protocol 
(high Peff in Section IV). What counts as an irremov- 
able disturbance to E is a matter of technology state and 
reality constraints, as well as fundamental obstacles. For 
unconditional security, such fundamental obstacles may 
include the laws of physics, deliberate actions by A at 
the transmitter, shared secret between A and B, as well 
as facts of nature as we know them. Only these should 
be included in the above US Advantage Creation Princi- 
ple. For many applications, practical advantage creation 
such as those obtained from security against individual 
attacks, may be quite sufficient. Thus, in a weakened 
form, one may modify the US Advantage Creation Prin- 
ciple by imposing on E whatever constraint that may 
seem reasonable in a given application. 



IV. PERFORMANCE EFFICIENCY OF QKG 
PROTOCOLS 

The performance of a QKG or key generation scheme 
for useful real-life application is gauged not only by its 
security level, but also its efficiency in at least two senses 
to be elaborated in the following. The security level is 
most usefully measured in terms of E's error profile on 
the final key as averaged over the random parameters 
of the system and minimized over E's possible attacks. 
Since there is generally a trade-off between security and 
efficiency, raising the efficiency for a given security level 
is equivalent to raising the security level for a given effi- 
ciency. In addition, for a protocol to be useful the effi- 
ciencies cannot be too low. 

The first type of efficiency that should be considered is 
protocol ejjiciency, denoted by Pef / , which has not been 
treated in the QKG literature. It can be defined as the 
probability that the protocol is not aborted for a given 
channel and a fixed security level in the absence of an 
attacker E. It is essential to consider the robustness of 
Peff with respect to channel parameter fluctuation, e.g., 
how sensitive Peff is to small changes in channel param- 
eter Ac which may denote, e.g., the independent qubit 
noise rate of any kind. In practice, Ac is known only 
approximately for a variety of reasons, and imperfection 
in the system can never be entirely eliminated. If Peff 
is sensitive to such small changes, the protocol may be 
practically useless as it may be aborted almost all the 
time. Sensitivity issues are crucial in engineering design, 
and there are examples of 'supersensitive' ideal system 
whose performance drops dramatically in the presence of 
small imperfection. Classical examples include detection 
in nonwhite Gaussian noise |34| and image resolution be- 
yond the diffraction limit pBg . Superposition of 'macro- 
scopic' quantum states is supersensitive to loss |3Q]. This 
crucial sensitivity issue is one of fundamental principle, 
not mere state of technology. It has thus far received 
little attention in the field of quantum information. 

As will be shown in sections V-VII, our qumode KCQ 
key generation protocols are robust to channel parameter 
fluctuations. On the other hand, the Lo-Chau protocol 
is supersensitive at high security level. This is be- 
cause any amount of residue noise in the system would 
be mistaken as E's action in the parity-check hashing, 
and the protocol would be aborted according to its pre- 
scription. The situation is particularly severe in view 
of our discussion in III.C concerning E's ability to use 
her information. The reverse reconciliation protocol in 
Ref. jSQl, which supposedly can operate in any loss, is 
supersensitive in high loss. Let 77 be the transmittance 
so that 77 ^ 1 corresponds to the high loss situation. 
In the presence of a small additive noise of 77/2 photons 
in the system, the protocol becomes completely useless 
because the noise induced by the attacker cannot be dis- 
tinguished from excess noise. Apparently, the modified 
Lo-Chau or Shor-Preskill type protocols can be operated 
without such supersensitivity. Note that high security 
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level often decreases Pef / and it is important to quantify 
the tradeoff. 

Even when the scheme is not supersensitive, the sen- 
sitivity level has to quantified in a QKG scheme involv- 
ing intrusion-level detection for a complete protocol with 
quantifiable security, for the following reason that has not 
been discussed in the literature. The security proofs of 
such a scheme always has a conclusion of the following 
form: If E has information Ie^ > S on from any at- 
tack fli, then the probability that would pass the test 
is Pg. < 1 — eg for small 5 and e^. This may be put in 
form of a conditional probability statement 

P{pass\lE, >5)<l-es. (17) 

However, the reverse conditional probability statement is 
required for a real security proof: 

P{Ie, > S\pass) <l-es. (18) 

It is easy to see that P{lEi > S\pass) can be large under 
(|17|l . say if E keeps attacking with that yields signif- 
icant lEi- For example, in standard BB84, E can learn 
each bit with probability 0.85 in an opaque attack. 
This shows that the users must employ a 'stopping strat- 
egy' in a complete protocol, by adopting a stopping rule 
which stops the whole process after a number of test re- 
sults that lead to aborting the protocol, and another rule 
to re-start the process. To evaluate (|18|) . one would need 
P{pass) in addition to (|17|) which would involve in turn 

Pipass\lE, < S). (19) 

This probability ifT^ depends on the quantitative sensi- 
tivity level just discussed, corresponding to the case of 
no attack or lEi ~ 0. In addition, E's optimal attack 
on the sequence of key generation trials depends on the 
user's stopping and re-starting strategy, and it appears 
one cannot bound the overall I{Ie > S\pass) before such 
a strategy is spelled out. It should be clear that much 
remains to be done to obtain quantitative results on the 
overall protocol security and efficiency. In this connec- 
tion, it may also be observed that in all security proofs 
involving the use of an error correcting code, it was not 
shown that an efficient (non-exponential) decoding al- 
gorithm exists. Thus, on many levels it has not been 
demonstrated that an efhcient protocol exists with quan- 
tifiable security levels even for standard BB84. On the 
other hand, these problems do not arise in specific KCQ 
schemes. 

After the protocol goes forward, there is clearly the 
question of key-bit generation efhciency (or rate) k^ff 
which may be defined via the number of generated key 
bits subtracted by the number of key bits used in the 
protocol, i.e., K^j:. = {\K^ — \K\)/n when an n-bit data 
sequence was used to obtain with a total key K — 
{Ks, Kc, Km, Ky) that is not re-used. This should be 
distinguished from the final effective key generation rate 
k^, which includes all the operations in the protocol to 
give the actual speed of key generation, a subject not 



discussed in this paper. When the modulation key Ki 
with \Ki\ — \Km\ is not re-used in the coded system of 
section III. 4 in an m-block of n-bit symbols, 

fcf^^ =R- \Km\ln - Ie/u - \Ky\/mn, (20) 

where Ie is E's information rate that needs to be elim- 
inated. If the protocol is secure under known-plaintext 
attacks, the \Km\ term can be omitted. The Ie term 
may be omitted if the coding scheme automatically forces 
I{Xn]Y^K) to be negligible. 

V. KCQ COHERENT-STATE KEY 
GENERATION WITH BINARY DETECTION 

In this section we describe the use of KCQ on qumodes, 
quantum modes with infinite-dimensional Hilbcrt state 
spaces, for key generation via coherent states of interme- 
diate or large energy. In most of the current experimental 
developments 2, 38] of QKG, coherent states are em- 
ployed in BB84 type protocols that are limited in energy 
to ~ 0.1 photon, if only because of the photon- number 
splitting attack that E can launch near the transmitter 
[3^l40| . With KCQ, we will in this and the next section 
show that much larger energy can be employed, line am- 
plifiers and pre-amplifiers can be used, and conventional 
optical technology on the sources, modulators, and de- 
tectors can be utilized. Furthermore, direct encryption 
coherent-state KCQ in what is called the m? scheme has 
already been experimentally observed [t^ITsII, which will 
integrate smoothly with the corresponding key genera- 
tion schemes that are currently under experimental de- 
velopment. 

A. ar) and its Extensions 

The usual description of a single coherent state already 
involves an infinite dimensional space, referred to as a 
qumode. Similar to the qubit case in Fig. 1, we may 
consider M possible coherent states |a/) in a single- mode 
realization, 

2Trl 

ai = aQ{cos 9i + i sin 9i), ^' ^ ^€{1,...,M], 

(21) 

where a§ is the energy (photon number) in the state, 
and ^ is the angle between two neighboring states. In 
a two-mode realization, the states are products of two 
coherent states 

27r/ 

|aocos6'i)i|aosin6';)2 , 0^ = —, I e {1, M}, 

M 

(22) 

The qumodes may be those associated with polarization, 
time, frequency, or any type of classical mode. Any 
two basis states form a phase reversal keying (antipo- 
dal) signal set, which are nearly orthogonal for ao > 3. 
The optimal quantum phase measurement (41| yields a 
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root-mean-square phase error ~ 1/ao- Thus, when 
M ^ ao, the probabihty of error P^^ ~ 1/2 when the ba- 
sis is not known which has been confirmed numerically 
[13], while ~ exp(— Oq) when the basis is known. 

This scheme can be used for key generation as follows. 
An attacker not knowing the key K has to make a mea- 
surement to cover all possible angles for different possi- 
ble K' in her effort to pin down the data X . From such 
measurement result, she can then try to determine all the 
possible X corresponding to the different possible k' . For 
each running key k' from her trial key k that selects a par- 
ticular basis for a particular bit, E has a classical binary 
decision problem for two, not m, possible signal points. 
The more practical heterodyne measurement, which may 
be forced on the attacker with a signal set of varying 
amplitudes in addition to the varying phase of arj, is 6 
dB worse in energy than the optimal measurement |lO| . 
The optimal phase measurement, which has no known 
physical realization, is worse than the optimal quantum 
measurement of antipodal signals by ~ 3 dB in signal 
energy A detailed binary-decision numerical evaluation 
on this performance is under way, but the 3 dB estimate 
follows from the amplitude/phase and conjugate quadra- 
tures (heterodyne/homodyne) analogy, and is supported 
by known results ji^. In any event, the precise number 
is important in an actual design of real system and in 
bringing out the intrinsic limitation of the system, but is 
not as important for illustrating the possibility and ba- 
sic principle involved. In this case, the principle is that 
there is a substantial difference in performance due to a 
quantum effect that has no classical analog, viz, differ- 
ent incompatible quantum measurements versus a single 
complete measurement in the classical case. 

More precisely, for discrimination of two equally likely 
coherent states {|ao))| — Q^o)}, the optimum quantum 
receiver yields an error rate Pf, that may be compared to 
the heterodyne result P^^* and the phase measurement 
result P^'', with 8 = 0^, 

n = \e-'^ Pr - le-^, Pt - \^-'' (23) 

Here, S measures the average number of photons received 
in the detector and H23(l applies in the so-called quantum- 
limited detection regime — unity detector quantum effi- 
ciency, infinite detector bandwith, all device noise sup- 
pressed. Under H23|l and dropping the factors in front of 
the exponentials for a numerical estimate of the bit-error 
rate (BER), which is required to be < 10^^ per use in a 
typical communication application, we have, for a meso- 
scopic level S - 10, A ~ IQ-^'^^P^"^ ~ 10-3,pP'* - 
10^^. If the data arrives at a rate of 1 Gbps, the user B 
is likely to have 10^ error-free bits in 1 sec, while E would 
have ^ 10^ errors among her 10^ bits with the optimum 
phase measurement. By the usual privacy distillation ap- 
proach 1^, the users can generate ~ 10'^ secure key bits by 
eliminating E's information. Thus, in principle, arj in its 
original form is capable of secure key generation against 
individual attacks that employs the optimal phase mea- 



surement on each qumode. Similar to all cases of specific 
QKG schemes to date, that there is no full security proof 
against even constant individual attacks in contrast to 
the claim of unconditional security in existence proofs, 
the above analysis does not prove there is no other indi- 
vidual or collective measurement, particularly adaptive 
ones utilizing the seed key information, that would yield 
a substantially better BER for E than the optimal phase 
measurement. Intuitively, we feel that is quite unlikely, 
but new techniques in classical and quantum detection 
theory are being developed to give precise quantitative 
treatment on such problems. Note that whatever the fi- 
nal result may turn out to be, it only affects the quantita- 
tive advantage level but not the possibility of advantage 
creation. In this connection, we may mention that arj in 
its original form was proposed for key generation in Ref. 
|43j| . with no consideration of information-theoretic key 
security against meaningful attacks. In the way arj was 
run, actually no fresh key can be generated because Pj^'^^ 
in H23I) is very small. 

More serious limitations on the use of arj for key gen- 
eration, I believe, arise from the US Advantage Creation 
Principle when the above scheme is to be utilized in prac- 
tice. In the first place, device thermal noise is signif- 
icant at high data rate and small signals, thus optical 
pre-amplifiers need to be used. For the usual erbium 
amplifier this would already take out the advantage over 
E. On this issue, it may be pointed out that the optimum 
binary quantum receiver has not been implemented so far 
in a?/, but the near-optimum Kennedy receiver |44l | , with 
Pi = (l/2)e^^'^ is currently under development. (The 
factor 1/2 difference between Pf, and P^ can be recovered 
in a Dolinar receiver described in Ref. |45|. which is the 
first systematic investigation of optical receiver perfor- 
mance improvement via feedback.) On the other hand, 
the photon number amplifier (PNA) 39, 46] could lead 
to an ideal Kennedy receiver in principle although PNA 
is far from practical at present. Secondly, in the presence 
of a line loss "q from A to B, one would need to compare 
PjP ~ e"^'''^ to Pjf ^ e~^'^ according to the Advantage 
Creation Principle when E attacks near A. Even if one 
uses the advantage creation technique of accounting for 
E's energy splitting described in III.G, and the postde- 
tection selection technique of Ref. 0, in conjunction it 
appears difficult to create an advantage over E that would 
allow key generation over truly long-distance telecomm 
fibers. Thus, a more powerful approach via m-ary detec- 
tion is developed in the following. Before we turn to this 
advantage creation technique, it is useful to introduce a 
number of other techniques that may improve the secu- 
rity and efficiency of KCQ schemes, and to demonstrate 
a general limitation on the binary detection approach to 
coherent-state KCQ for key generation. 

It is important to note that ar] represents a new type 
of cipher even when it is operated in a completely classi- 
cal setting, and even in the absence of any channel noise. 
This is because deliberate randomization may be intro- 
duced by A in many ways. Consider the situation where 
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the circle of Fig.l represents a classical two-dimensional 
signal space, say corresponding to the two quadratures of 
a single frequency. In the absence of any noise, the circle 
would represent the different possible phase-shifted sig- 
nals of a given energy. Thus, the cryptosystem can be 
run in the same way as arj with or without classical noise, 
in hardware and even in software. Indeed, in the direct 
encryption experiments on arj reported thus far jl^ , 
the performance obtained via the coherent-state quan- 
tum noise can also be achieved by high-speed deliberate 
partial randomization of the signals by A corresponding 
to the coherent-state noise effect. When ar] is used for 
key generation, one may employ the technique of delib- 
erate signal randomization (DSR) for which each signal 
state at the output of the encryption box of Fig. 1 is 
further randomized so that it is uniformly distributed on 
the semi-circle centered at the state chosen by the run- 
ning key K' . Similar to the qubit case, one may readily 
show the intuitively obvious fact that the key K is com- 
pletely hidden form E who does not know K and X, even 
if she possesses one copy of corresponding to an arbi- 
trarily long data sequence x. The general interwined case 
described in section III will be treated in Part II, as it in- 
volves security against known-plaintext attack on direct 
encryption. This is true classically also as just discussed. 
In the presence of quantum or classical noise, one needs 
to use a proper randomization if all the error control is 
built in the antipodal signal set only, as above. When a 
CECC is used on top of the antipodal signals, delibera- 
tion error randomization can be introduced to improve 
security /efficiency as described in section III.G. 

In addition to providing complete protection against 
ciphertext-only attack on the key, DSR also improves the 
efficiency of key generation. If the state is rotated by an 
angle 6 away from the one set by K' and is unknown to 
the detector which knows K' , the optimum phase mea- 
surement BER as a function of 9 is yet to be evaluated, 
but the corresponding Kennedy and heterodyne receiver 
performance are 

Pb{9) - e a-cos)-' _ phet(^g-^ _ Ig-Scos^e^ (24) 

The Pbie) in ^ is the Chernov bound [13 for the 
Kennedy receiver when cos 6* < 1, while P^'^^O) is the 
usual upper bound on Gaussian errors 0. It is expected 
that in a more exact evaluation of Pb{0), the energy ad- 
vantage is closer to the original 6 dB than the 3 dB one of 
(|^ . and similarly for Pl^''{0). Thus, even for large signal 
energy, A can control the BER to B and E and causes 
more errors to E through B's advantage. In practice, 
some CECC should be used for reliable system operation, 
and channel code key Kc, chaining, and other techniques 
could be used to enhance the advantage already created 
for efficiency improvement. 

With DSR on ar], one may obtain secure key genera- 
tion against constant individual attacks as follows. Let 
the angle 9 be randomized so that it appears uniform over 
the whole circle with respect to E's optimum (phase) con- 



stant qumode measurement. In this way, the key K is 
completely hidden even in a known-plaintext attack, in a 
way exactly similar to the classical noiseless case where a 
semicircle is sufficient to protect against ciphertext-only 
attacks. If the signal strength S is not large enough, this 
would also introduce error to B. However, a CECC can 
be designed to correct only up to the BER B then suffers, 
which is smaller than that of E due to B's error perfor- 
mance advantage. By using Theorem 1, one may gener- 
ate fresh keys, with no cost for each n-bit symbol due to 
security against known-plaintext attacks. We summarize 

Theorem 5: 

With proper use of DSR just described, a coded arj 
scheme leads to unconditionally secure net key gener- 
ation against constant individual attacks with security 
level given by H12|) . 

Again, with the development of proper bounding tech- 
niques, we believe the restriction to constant individual 
attacks in Theorem 5 can be simply removed. The de- 
tailed quantitative dependence of the security level as a 
function of 5* and other system parameters will be given 
for both individual and joint attacks in the future. 

B. Binary Detection KCQ Key Generation 

For binary coherent-state signals, the optimal quan- 
tum receiver performance cannot be better than that of 
heterodyne by 6 dB in energy or error exponent. This is 
a known fact among all the usual binary coherent state 
systems, but there is no general proof in the literature. 
A proof can be supplied, which is not difhcult, but is 
omitted here for brevity. Also, it may be proved that 
antipodal signals lead to optimal BER under energy con- 
straint on coherent states. Furthermore, it is not possible 
to increase the error advantage by utilizing bandwidth, or 
more generally any multimode system, for the following 
reason. 

Consider an optical quantum field of arbitrary band- 
width E{x,t) where x is the transverse spatial dimension. 
On her copy of the field, whether it is the one she split- 
ted off by tapping or the hypothetical one we grant her 
for bounding her information, she can always in principle 
make a heterodyne measurement to obtain the classical 
readout e{x,t), which is described by [48l |. 

e{x,t) — es{x,t) + n{x,t), (25) 

where es{x,t) is the amplitude of the coherent-state sig- 
nal and n(x,t) is an additive Gaussian noise in t with 
spectral density hf at frequency /. All quantum fluctua- 
tion in every space-time mode has already been included. 
In a binary detection system involving two classical sig- 
nals in additive white Gaussian noise (AWGN), one can 
always extract one signal dimension (one quadrature out 
of one mode) that contains all the information for optimal 
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discrimination j47| . The whiteness approximation that 
all / ~ /o, a single frequency, is very good for all practi- 
cal optical signals. Thus, even though contains many 
quantum noise photons- one from every mode- in the op- 
timal receiver only one such mode is to be extracted by 
appropriate spatial-temporal filtering. As a consequence, 
we are back to the single-mode situation where there is 
just one noise photon from heterodyne. Indeed, hetero- 
dyne is a 'universal' measurement whose result captures 
all aspects of the field mode: amplitude, phase, quadra- 
tures, etc., that allows E to try all possible K to identify 
all possible data. One may understand this result from 
the important fact that a multimode coherent-state ex- 
cited field from vacuum is equivalent to a single-mode 
coherent-state excited field. 

The result just quoted is not true for nonclassical light, 
i.e., optical fields in quantum states that is not classical, 
not a coherent state or a classically random superposition 
of coherent states. Clearly, there can be huge improve- 
ment between the optimal and heterodyne detection of 
a nonclassical state. For number states, ideal photon 
counting yields Pb = for on-off signals. For squeezed 
states, homodyne detection along the maximum squeez- 
ing direction sees the minimum noise as compared to one 
that may see a large noise without knowledge of that 
direction. Thus, by using K to determine such direc- 
tions, the users would obtain huge error advantage over 
E even in a binary detection system. One can similarly 
use number states and other orthogonal states in conjunc- 
tion with coherent states to create other binary systems 
that give arbitrarily small BER for B but large ones for 
E. 

We would not go into the details for such development 
because intermediate or large-energy nonclassical states 
do not have much practical significance as data source in 
long-distance communication |l3l | . This is because the in- 
evitable system imperfection, especially linear loss, would 
quickly transform such nonclassical states into classical 
ones. As a consequence, the initial energy or error ad- 
vantage disappears quickly over a lossy communication 
line. For realistic application of mesoscopic or macro- 
scopic energy signals, we may want to limit ourselves to 
coherent states. 



VI. KCQ COHERENT-STATE KEY 
GENERATION WITH m-ARY DETECTION 

The above limitation on the binary detection advan- 
tage of an optimal quantum receiver versus heterodyne 
can be overcome in m-ary detection. The use of m-ary 
systems, in fact, is one form of coding. As will be seen 
in the following, it indeed corresponds to driving the sys- 
tem at a rate between B's and E's mutual information 
with respect to A as in ®. Amazingly, for the particu- 
lar CPPM system we now turn, such a rate choice by A 
automatically makes Ie go to zero with a flat error pro- 
file, with also full information-theoretic security against 



known plaintext attack on the key. This is proved against 
the universal heterodyne attack, and is likely to be true 
against all possible attacks. Thus, not only the data en- 
joy unconditional security at the near perfect level, the 
key has security that has never even been suggested pos- 
sible before in cither standard or quantum cryptography. 

A. CPPM — Coherent Pulse Position Modulation 

An m-ary coherent-state pulse position modulation 
system has the following signal set for m possible mes- 
sages, 

|0.> = |O)i---|ao). •••|0)„, ie{l,...,m}. (26) 

In l|26(l . each is in m qumodes all of which arc in the 
vacuum state except the ith mode, which is in a coherent 
state |ao)i. The corresponding classical signals are or- 
thogonal pulse position modulated if each mode is from 
a different time segment, but generally the modes can 
be of any type. For brevity, we retain the term 'pulse 
position' even through 'general mode position' is more 
appropriate. 

The photon counting as well as heterodyne error per- 
formance of H2fci|) are well known |23| . The block error rate 
from direct detection is exponential optimum for large m. 

Pf'' = (1 - — )e-^, Pe ^ e-^. (27) 

TO 

The optimum block error rate P^, for H26I) is known ex- 
actly and given in H27|l asymptotically. In contrast, 
for large to the heterodyne block error rate P^''^* ap- 
proaches 1 exponentially in n = logj to, which is a general 
consequence of the Strong Converse to the Channel Cod- 
ing Theorem as discussed in section III.D. For the present 
Gausssian channel case for heterodyne receivers, explicit 
lower bound on the block error rate P^^*^, conditioned on 
any transmitted i, can be obtained in the form (p382 of 

m 

phet > _ [$(y)]»)$(y - ^25), (28) 

where $ is the normalized Gaussian distribution. By 
choosing y > \/2n, H28|l yields explicitly P^'"^* 1 expo- 
nentially in n for any given S. It is a main characteristic 
of classical orthogonal or simplex signals in AWGN that 
whenever an error is made, it is equally likely to be de- 
coded by the optimal receiver to any of the to — 1 other 
messages. Thus, under the condition p^'*'^* the error 
profile is uniform, viz, pi = 1/to or the BER P^ = 1/2 
with independent errors. 

The KCQ qumode key generation scheme CPPM works 
as follows. Consider to = 2" possible n-bit sequences, 
and possible coherent-states 

i,jG {1,...,to} (29) 

in correspondence with {|</>i)} of H26|l. For simplicity, 
one may set J2j lo^u P = |q^oP = S for every i. Let fk 
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be a one-to-one map between (|26|) and H29() indexed by 
a key K. As an example of physical realization, the con- 
nection between (|^ and (|^ could be through a set of 
N beam-splitters with transmission coefficients ^yrfi for 
complex numbers r]i, I € {1,...,A^}, determined by k. 
Such a physical realization combines the aij of H29|l co- 
herently through the ry^'s, and is represented by a unitary 
transformation between the two m-tensor product state 
spaces ®'^iHi and ®^iH[ for the input and the output. 
|83| The states of are used to modulate the data 
i by A, and B demodulates by first applying fk to trans- 
form it to of (|26l) and then use direct detection on 
each of the m modes Hi . 

Without knowing fk or r]i so that there are both am- 
plitude and phase uncertainties for each I, it is expected 
that an attacker can do very little better than heterodyne 
on all the H[ modes, which is equivalent to heterodyne on 
all the Hi modes, and then apply the different /^'s on the 
classical measurement result (I25|) . As presented above, 
by making m large one can then make not only pE = 2~' 
for any I but E's error profile is in fact nearly uniform, 
with Pi = (1 — 2^')/(to — 1) for i > 2, thus no need for 
further privacy distillation. As a consequence, the sys- 
tem is not only completely secure against ciphertext-only 
attack on the key but also fully secure against known- 
plaintext attacks. This is because given an input-output 
pair {Xn, Yj^), the heterodyne output Y,f has no relation 
to Xn for any k from E's uniform error profile. The ex- 
act quantitative behavior may be bounded via H28|) . We 
summarize: 

Theorem 6 

Against E's universal heterodyne attack, the m-ary 
CPPM KCQ protocol is unconditionally secure with 
asymptotic key generation rate n = log2 m per use and 
pE, Ie going to zero exponentially in n. 

The only easy way to remove the restriction to hetero- 
dyning for E is to note that the optimum quantum re- 
ceiver for discrimination among the states H26I) is unique 
|49l |. Thus, there is a gap between it and the receiver per- 
formance that does not know K at the time of quantum 
measurement, which translates into a mutual information 
statement ^ that can be used to show the existence of 
codes upon further coding, as described in TILE, that 
yields security in the sense of Theorem 1. Although this 
does not seem to give useful practical protocol for actual 
implementation and does not guarantee key bit genera- 
tion, it is of interest in principle to record the following. 

Theorem 7: 

Against any attack by Eve, the CPPM scheme may 
be further coded to provide unconditional security with 
levels given by (|12|l . 



B. Further Outlook 

The direct detection or optimal detection performance 
(|77|l is affected by the presence of device noise so that 
there is no more vacuum state in 1)26(1 . However, or- 
dinary pre-amplifier could be used that suppresses all 
the device noise with a resulting performance degrada- 
tion that amounts to a less factor 1/4 < 77 < 1 in m- 
ary PPM. Furthermore, in principle a photon-number 
amplifier mentioned in VI. A can be used as a noiseless 
pre-amplifier. Quantitative evaluations of the resulting 
performance are, however, yet to be carried out. One 
major advantage of coherent-state KCQ scheme is that 
they can be used through a limited number of ampli- 
fiers and switching nodes in a properly designed system 
with appropriate amplifiers. In general, quantum am- 
plifiers degrade the user's error performance due to the 
fundamental quantum noise they introduce |39| . In a 
properly designed chain with appropriately chosen am- 
plifier gains and lengths of lossy line segments, one can 
obtain a linear 5fl| instead of an exponential degradation 
in the signal-to-noise ratio (SNR) as a function of total 
line length. There is no need to decrypt and re-encrypt 
at the input of an amplifier as in a repeater, as long as 
the degradation introduced by the amplifier still leaves 
B with performance advantage over E. Recall the overall 
general Advantage Creation Principle for key generation 
that B must have performance advantage on the decoded 
information-bit sequence after all system imperfections 
including loss and noise are taken into account, as com- 
pared to E's decoded information-bit sequence for no loss 
and no imperfection other than unavoidable ones. In the 
case of CPPM, B's performance would be scaled by the 
total transmittance 77 so that S is replaced by rjS in H27|l . 
In principle, it is still a better performance compared to 
(|28|l with r; = 1 for large enough to. Thus, CPPM can be 
secure for arbitrarily long-distance fiber communication. 

It may be mentioned that the possible use of am- 
plifier in a quantum cryptosystem has been intro- 
duced previously for weak coherent states and hetero- 
dyne /homodyne detection that traces back to Ref. 
[5^ that describes both coherent-state and squeezed- 
state cryptosystems. In particular, the usual-state 
scheme in Ref. |5l( employs conjugate- variable measure- 
ment detection of intrusion level similar to the schemes of 
Ref. "sE], while also allowing a limited use of amplifiers 
as described. However, all such schemes are inefficient 
because weak or small energy signals have to be used to 
avoid good performance in determining the actual sig- 
nal state via optimal quantum detection by E, and via 
attacks similar to the USD attack on coherent-state re- 
alization of BB84 type systems js^ ^3 ■ 

The CPPM scheme is also ideal for direct data encryp- 
tion because it automatically produces a near uniform 
error profile on E corresponding to near-perfect bit-by- 
bit security. Indeed, from the constant inner product 
{(j)i\(j)j) for every i ^ j which is the quantum analog of 
the classical orthogonal or simplex signal behavior that is 



20 



responsible for their near uniform error profile in AWGN, 
it would be possible to prove that such a property persists 
under E's optimal attack. It would then appear that all 
problems are solved in principle as arbitrarily large error 
exponent advantage can be obtained between H27|l and 
(|28|1 by making m large. 

Unfortunately, as in a classical orthogonal signaling 
scheme, large m in CPPM means exponential growth 
of bandwidth, not to mention growth in physical com- 
plexity. Indeed, (|27|l itself is an infinite-bandwidth re- 
sult for large m. One the other hand, it is known 0| 
that if the signal-to-quantum noise per unit bandwidth 
is small, coherent-state direct detection systems do have 
larger capacity than heterodyne ones. Thus, it may be 
expected that properly designed error correcting codes, 
usually employed for bandlimited systems for such rea- 
sons, could be developed to retain much of the CPPM 
advantage for a large given bandwidth. 

VII. KCQ AND DIRECT ENCRYPTION 

For direct encryption, one needs to consider ciphertext- 
only attack on the key, on the data, and known-plaintext 
attack on the key. In conventional cryptography one has 
the Shannon bound, H{X\Y) < H{K), on the condi- 
tional entropy of the data X given the ciphertext Y via 
the key entropy. In the quantum case or in the pres- 
ence of irreducible classical noise to E, the corresponding 
bound 

HiX\YE) < H{K) (30) 

is no longer valid where Ye is the classical ciphertext 
available to E. In the quantum case, Ye is obtained via 
a quantum measurement. If (|30|l is valid as is the case 
in conventional cryptography, it does not mean that E 
knows all the bits in X except for \K\ of them. That 
would be disastrous as it often happens that \K\ < 10'^ 
while \X\ > 10^. The operational meaning of (|3U|I has 
never been analyzed in conventional cryptography, to my 
knowledge. It is usually not considered a problem be- 
cause it is presumed that E would get many information 
bits in X wrong knowing only Y and not K. However, 
a more detailed analysis is needed for a security proof 
with respect to whatever chosen criteria, as we have done 
for key generation in section III.C. But that has never 
been provided in conventional cryptography other than 
the trivial one-time pad case. When (|Sn|) is violated. 
Lemma 1 implies I{X\YeK) < H{X), a condition that 
allows key generation via l|3Jl as in Theorem 1 . For direct 
encryption, such violation has the important implication 
that very high level of data-bit security may be obtained 
without using the inefficient one-time pad. Indeed, we 
have seen how this may occur in CPPM treated in sec- 
tion VI. Note that Theorems 1 and 2 can also be used to 
describe the data quality in direct encryption. 

It is easy to protect K from ciphertext-only joint at- 
tacks in ar] with the use of, e.g., DSR, discussed in section 



V.A. The technique can be extended to cover known- 
plaintext attacks in two different ways, to be presented 
in Part II. Without DSR, the bound ((SOI) obtains with 
H{K)/ logAf on the right-hand side. The usual security 
problem is known-plaintext attack, in which E tries to 
determine K from data-output sequence pairs with sta- 
tistical correlation information on the data (of varying 
degree). Security against known-plaintext attacks is al- 
ways at best computational complexity-based against ex- 
ponential search in conventional cryptography. For noisy 
system, we suggest that it is possible to have information- 
theoretic security, i.e., 

H{K\X, Ye) > 0, H{K\X, Yb) - 0, (31) 

which has never been suggested before and is clearly im- 
possible in conventional cryptography where Ye = Yb- 
Full security would correspond to H{K\X,Ye) — H{K), 
which again can be closely approximated in CPPM sys- 
tems, at least for the universal heterodyne attack. 

Even when H{K\X, Ie) = as is the case in conven- 
tional cryptography for sufficiently long X, the system 
may be secure in the sense of high search complexity. In 
particular, ar] in the original form without DSR provides 
an additional search problem to E, as compared to just 
the encryption box, that is exponential in \K\/ log2 M , 
at least for brute-force search. For increasing the search 
complexity, one may make sure the input data can never 
be perfectly known in several ways. One is to use polar- 
ity or padding bits as described in Section II. Another 
is to generate the polarity bits through a running key 
obtained from another encryption mechanism with the 
same K or another different key as the seed key. Note 
that the proper use of DSR would introduce inevitable 
coherent-state quantum noise for E, which may even lead 
to information-theoretic security already if the energy in 
the coherent state is not too large. No proof of any cryp- 
tosystem has ever been given in conventional cryptog- 
raphy, to my knowledge, that establishes rigorous ex- 
ponential lower bound on the search complexity. And 
we have not (yet) succeeded in proving that arj necessi- 
tates an exponential search either - it is just an added 
search burden as compared to just the encryption box 
and appears exponential. In general, such multi-variable 
correlated classical statistical problem has the full math- 
ematical complexity of many-body problems and quan- 
tum field theory in physics. Useful lower bound is also 
notoriously difficult to obtain in computation problems. 
Perhaps these explain why no rigorous security proof is 
available on such complexity-based security. 

On the other hand, exponential search complexity 
should be good enough for any application. We have 
mentioned in section II that Grover's search only reduces 
the exponent by a factor of two, which is easily compen- 
sated by increasing the key size by a factor of two in 
many standard schemes as well as in our KCQ schemes, 
either qubit or coherent-state. 

As noted previously in this paper, data security against 
attacks on the key with statistical knowledge on data 
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that are not completely random is required for a com- 
plete proof of key generation security with KCQ. An ex- 
tensive general theoretical development of direct encryp- 
tion security analysis will be provided in Part II, where 
conditional probabilities will be used in addition to en- 
tropies for more precise quantitative estimate of specific 
coding/detection scheme performance. The behaviors of 
arj, CPPM, and their refinement and extension will be 
developed for concrete cryptosystem design. 



VIII. COMPARISON AMONG QKG SCHEMES 

We present below a brief qualitative comparison be- 
tween QKG schemes of the BB84 type, of the qubit KCQ 
type, and the coherent-state KCQ type. Detailed quanti- 
tative comparisons will be given after rigorous evaluation 
of the quantitative characteristics of these schemes for fi- 
nite n. 

Theoretically, BB84 type protocols suffer from the fol- 
lowing classes of problems as a matter of fundamental 
principle. 

(i) It is hard to bound Eve's error rate on the key gen- 
erated due to the difficulties of intrusion-level estimation 
under joint attacks with side information on the error 
correcting and privacy distillation codes. 

(ii) It is difficult to produce a complete protocol that 
can be practically implemented with quantifiable secu- 
rity and efficiency, due to the decoding problem and the 
stopping-rule problem. 

(iii) It is hard to include the various system imper- 
fections in an unconditional security proof, and to build 
protocols robust with respect to fluctuations in the mag- 
nitude of these imperfections. 

(iv) The necessary use of weak signals and the diffi- 
culty of repeating the signal without decryption imply 
low throughput even with just moderate loss. 

(v) The intrinsic small quantum effect of a single pho- 
ton necessitates an accurate sensitivity analysis with re- 
spect to the system imperfection and environmental per- 
turbations, that would result in a low interference toler- 
ance threshold in commercial applications. 

Corresponding to these problems are related practical 
one including 

(i') It is difficult or impossible to rigorously ascertain 
the quantitative security level of the generated key. 

(ii') The throughput or key-generation rate would be 
low, especially in the presence of substantial loss. 

(iii') The cryptosystem is sensitive to interference, and 
needs to be controlled and checked with a high precision 
difficult to achieve practically. 

(iv') High-precision components corresponding to a 
fundamentally new technology are required, including the 
source, transmission line or repeater, and detector. 

With the exception of (i) and (ii) , which are further dis- 



cussed in Appendix A, all these problems are evident and 
well known in BB84 although there are disagreements on 
how readily they can be overcome. Nevertheless, in the 
foreseeable future it seems clear that BB84 type schemes 
cannot be made to operate in a commercial type environ- 
ment with any reasonable level of security and efficiency 
for even moderately long distance. The weak coherent- 
state schemes of Ref. 38] also suffer from all these prob- 
lems except (iv'), and that of Ref. [sJl is only slightly 
better. 

With the use of qubit KCQ type schemes, the theo- 
retical problems in (i) and (ii) can be largely overcome, 
but not the ones in (iii) and (iv) except perhaps with 
very low key-bit generation efficiency. Except for (i'), 
the practical difficulties (ii')-(iv') also remain. Again, it 
may be possible to alleviate these problems with strong 
error correction that implies a low k^ff- 

With the use of the qumode KCQ schemes of inter- 
mediate to large energy, all the fundamental difficulties 
(i)-(iv) can be substantially reduced. Furthermore, each 
of the practical difficulties (i')-(iv') either disappears or 
is substantially alleviated. The exception is loss in long- 
distance fiber communication. In principle, a wideband 
coherent CPPM system presented in section VI could 
solve all problems. For practical application, new ap- 
proaches are needed to deal with bandwidth limitation 
and coherence requirements. It is still a major problem to 
create enough advantage for unconditional information- 
theoretic security. 



IX. CONCLUDING REMARKS 

A new principle of quantum cryptography has been 
presented on the basis of optimal versus nonoptimal 
quantum detection when a seed key is known or not 
known. This possibility of yielding better performance 
for the users over an attacker is a quantum effect with 
no classical analog. In classical physics, a complete ob- 
servation of the physical signal state can be made with 
or without the key. It would be misleading to phrase 
the basis of this possibility as no-cloning, which is triv- 
ially covered (53|, |5j| by quantum detection theory that 
provides detailed quantitative limits on quantum state 
discrimination from the laws of quantum physics. A de- 
tailed development of the appropriate novel quantum de- 
tection theory wil be given in the future for a complete 
quantitative assessment of cryptosystem efficiency and 
security. This will be done especially in terms of Eve's 
optimal probability of guessing the generated key cor- 
rectly, which is a more appropriate criterion than her 
mutual information. 

A powerful new KCQ protocol CPPM that utilizes m- 
ary instead of binary detection has been presented that 
could, in principle, lead to secure key generation and data 
encryption over long-distance telecomm fibers. However, 
the problem of obtaining such a protocol under band- 
width and practical constraints remains both a theoreti- 
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cal and experimental challenge. 
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APPENDIX A: PROBLEMS OF QKG 
UNCONDITIONAL SECURITY PROOFS 

In the QKG literature, there are different types of se- 
curity proofs that purport to show the existence of un- 
conditionally secure protocols against any attack allowed 
by the laws of physics, while new proofs are continually 
emerging that we have not scrutinized. They are the 
proofs of Shor-PreskiU Lo-Chau Mayers [H, 
Biham etc. ISg and recently a more complete approach 
by Hamada I believe that all of them have serious 
gaps that are difhcult to close. The situation is rather 
confusing because the strategies of these proofs are differ- 
ent, and problems in one type may not arise in another. 
In the following, three major problems in these proofs 
are briefly described, at least one of them applies to any 
of the above proofs. In addition, three other problems in 
a complete protocol are briefly indicated, none of which 
has been addressed in the literature, to my knowledge. 
0. 

The three major problems in these proofs are 

(i) It is hard to rigorously and accurately estimate E's 
disturbance on the qubits under a joint attack. 

(ii) It is difficult to show there exists a universal error 
correcting code that would produce the desired security 
level for all attacks that pass the intrusion-level test in 
the protocol with significant probability. 

(iii) The side information that E has from the public 
knowledge has not been properly taken into account in 
the estimate of her information on the key generated. 

From an information-theoretic viewpoint, a joint at- 
tack from E creates in general a quantum channel with 
entanglement on the user's qubits. It seems impossible 
to obtain a good estimate of E's disturbance from merely 
one copy of the general channel. This difficulty, which 
may be called the inference problem, also affects the ex- 
istence and the choice of a code that would perform sat- 
isfactorily under all possible attacks that do not lead to 
the protocol being aborted, as expressed in (ii) above. 
Indeed, even for constant individual attacks this coding 
problem has only recently been rigorously dealt with in 
Ref. j57|. 



When it applies, the inference problem is serious and 
does not seem to have a solution even in the asymptotic 
limit n ^ oo. It seems to be handled in Ref. |23| by 
the argument of quantum to classical reduction adopted 
from Ref . However, the local measurement actually 
performed by the users is not equivalent to the nonlocal 
degenerate Bell measurement needed for the reduction to 
go through, with respect to the determination of the state 
after the measurement that is needed in the next step of 
the proof. They are only equivalent, in both the cases of 
Ref. [U and Ref. [sj, with respect to the probabilities 
that govern the use of the measurement results. Perhaps 
the equivalence claim arose from interpreting the descrip- 
tion of a measurement by the same X ^ X differently in 
two different contexts |2J| . When X X has a degener- 
ate spectrum, the measurement as specified by a POM is 
not uniquely represented by the symbol X(>^ X. Further- 
more, the inference of the test qubit results to the infor- 
mation qubits left cannot be justified by the quantum de 
Finetti Theorem |5^ because quantum entanglement 
leads to violation of the exchangeability premise of the 
theorem, and quantum entanglement is precisely what a 
joint attack can yield that an individual attack cannot. 
However, the inference problem does not arise in proofs 
where B makes measurements on all received qubits be- 
fore proceeding. The problem of such proofs is how one 
may bound Eve's information under her optimal attack. 

Note that a security proof needs to answer this ques- 
tion for the user: given that a key is obtained by 
following the protocol on n qubits, what one can rigor- 
ously say about the error profile or information that E 
has on as optimized over all her possible attacks. This 
question is especially serious for the realistic case when 
the statistical fluctuation due to a finite n needs to be un- 
der control. It appears that new techniques need to be 
developed to handle such problem in this type of proto- 
cols with intrusion-level detection. Even asymptotically, 
the coding problem remains on what scheme one should 
employ that guarantees a bound on Eve's information 
when she optimizes her probe/interation in anticipation 
that she would receive side information later before she 
makes her measurement. This problem is coupled with 
the following side information problem, although the lat- 
ter constitutes a problem al by itself. 

In terms of our notation, the side information prob- 
lem can be simply stated as follows. Let S be E's 
side information before she made her final measurement 
and estimate of the generated key from an obser- 
vation on her ancilla. Then Eve's mutual information 
on is given by I{K^;YeS). From this is equal 
to I{K3;Ye\S) + I{K3; S). Most treatments just bound 
I[K3;Ye). In [13, the (smaller) I{K9-,Ye\S) is bounded 
but I{K^;S) is ignored. However, I{K^;S) may grow 
with the number of qubits ninx and has to be subtracted 
from to show that a net positive key generation rate 
is in fact obtained. In this regard, we may recall that the 
fundamental superiority of quantum over standard cryp- 
tography is based almost exclusively on the availability of 
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rigorous proofs rather than mere plausible assumptions, 
qualitative arguments and numerical simulations. 

The three problems that need to be dealt with in a 
complete protocol that be be practically implemented 
with quantifiable security are 

(1) The Efficient Code Problem: 

One needs to show there is a polynomial-time algo- 
rithm for decoding whatever code that is utilized in the 
security proof. If a non-optimal efficient algorithm is 
used, its effect on security needs to be quantified. In this 
connection, it may be observed that there is no rigorous 
quantitative bounds on the efficiency and security levels 
of the Cascade protocol [E^ widely used in experimental 
implementations . 

(2) The Stoping Rule Problem: 

As discussed in section IV, to obtain P{Ie > 5\pass) 
that provides quantitative security guarantee of the pro- 
tocol, one needs an explicit stopping/ re-starting strat- 
egy. Then one needs to bound Eve's optimal attack per- 
formance with respect to such a strategy from an appro- 
priate overall criterion. 

(3) The Future Key Use Problem: 

When the generated key is used as one-time pad or 
as a seed key in a conventional cipher, a known-plaintext 
attack on part of can be combined with Eve's original 
probe/measurement to tell something about the rest of 
the key. This problem arises also in the KCQ approach, 
and shows the crucial importance of the direct encryption 
known-plaintext attack problem in using keys obtained 
form a key-generation protocol. 



APPENDIX B: ON CRITICISMS OF ar? 

There have appeared three papers |63,IS|62 in quant- 
ph this year that purport to show that the ari scheme 
reported in [TtI ITsI is insecure in various ways. These 
criticisms are briefly summarized and responded to in 
this Appendix. 

A general criticism seems to be made in Ref. |63| that 
our claim in [l^ IT^ on the possible use of amplifiers in 
coherent-state cryptosystems cannot be valid. It is not 
clear exactly what this objection is. In any event, we 
qualify such use in our papers by the statement that 
security must be guaranteed for E attacking near the 
transmitter, since quantum amplifiers generally degrade 
the communication performance. There are three specific 
criticisms from Ref. 60] that one can ascertain: 

(i) In the presence of loss so large that E can get 2'^ 
copies by splitting the coherent-state signal at the trans- 
mitter, there can only be complexity-based security. 

(u) With just a 3 dB loss, use of the Grover Search 
implies there can only be complexity-based security. 

(iii) The Grover Search is 'powerful' against 
complexity-based security. 



In response, observe that only complexity-based secu- 
rity is ever claimed in 0,0] against joint attack on the 
key K. The other information-theoretic security claimed 
is on individual ciphertext-only attack on the data. As 
discussed in Section VII, it is quite sufficient to have 
complexity-based security if it can be proved exponential, 
which is only reduced by a factor of 2 with the Grover 
Search. Long keys of thousands of bits can be used in 
arj at high speed both in software and hardware imple- 
mentation, making the exponential search completely in- 
effective. 

Furthermore, the Grover Search cannot be launched 
against ar] with a 3 dB loss. If it can, there is no need 
for the 2 1^1 copies extensively discussed in Ref. In- 
deed, there is no discussion there on how the Grover or 
any search can be launched with a 3 dB loss. There is 
a general misclaim in some papers on quantum cryptog- 
raphy that a 3 dB loss on a coherent state cryptosystem 
renders it insecure because E can obtain a copy of the 
quantum ciphertext identical to B. This is not true even 
without the use of a secret key. It is not true for B92 
iSi] or YK or the usual-state scheme described in [5ll |. 
although it renders a coherent-state BB84 scheme and 
some 'continuous -variable' schemes essentially insecure. 
When a secret key K is used, it is not true at all. Indeed, 
the possibility of key generation while granting E a full 
copy to bound her performance depends on this being 
not true. As explained in this paper, knowledge of the 
secret key allows B to make a better measurement than 
E, who cannot attain the same performance as B even if 
she knows the key later. 

It is true that when 2^^^ copies are available to E, 
there is no information-theoretic security left in a known- 
plaintext attack on direct encryption, and key generation 
is impossible. But it is clear that no one would contem- 
plate the operation of cryptosystem over such a huge loss 
2~l^l without intermittent amplifiers or other compen- 
sating devices. Numerically, 2~l^l corresponds to the 
propagation loss over one thousand kilometers of low- 
loss fibers without amplifiers for just \K\ ~ 80 bits in a-q 
with M ^ IQ^ . It is totally out of the realm of possibility 
to sustain such loss even in ordinary optical communica- 
tion without crypto graphy. As the use of amplifiers is 
suggested in [13, [ill , it is hard to see why such a criti- 
cism is relevant. As a matter of fact, arj in its original 
form is insecure at a much smaller loss than 2~l^l for 
any reasonable \K\. 

In Ref. [bJI, it is claimed that a device can be found 
that would lead to a bit error rate P^^ much lower than 
the quantum detection theory result ~ 1/2 reported in 
[l7l | for individual ciphertext-only attack on the data. As 
pointed out by several others including G. Barbosa and 
O. Hirota, such a device cannot exist because violating 
quantum detection theory means violating the laws of 
quantum physics. In Ref. |62| . it is claimed that a-q 
is merely a classical cipher. The exact nature of arj for 
key generation has been analyzed in section V, and for 
direct encryption in section VII. While arj can indeed 
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be run in the classical limit and even in just software, 
the blanket claim that arj is classical for intermediate 
and large signal energy, and hence presumably does not 
permit key generation, is incorrect because their equation 



(10) does not hold exactly. In particular, the discussion 
around (|23|l in our section V.A shows how arj in just its 
original form may allow ke y g eneration. For a further 
concise discussion, see Ref. |6^ . 
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attacker which is identical to that of the user without a 
shared secret key. (This one copy rather than full cloning [80] 
capability is the proper analog to a doner in the classical 
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classical analog. 

We distinguish the qualitative intrusion detection that 
tells the absence or presence of an attacker, from the 
quantitative intrusion-level detection that is needed in 
a BB84 protocol to generate a fresh final key that the 
attacker knows essentially nothing about. 
The classical noise and B92 type protocols suffer from 
many of these problems also, due to the necessary use 
of weak signals. On the other hand, the post-detection 
selection technique in these protocols can be used on top 
of KCQ protocols to increase the security level at the 
expense of efficiency. 

The term CDMA - code division multiple access - is used 
here as in cellular communication to denote an arbitrary 
signal set for communication. 

We use the term 'key extension' to denote the process 
of getting a larger session key K' from a seed key K, 
avoiding the term 'key expansion' for possible confusions. 
We distinguish 'independent' from 'uncorrelated' in the 
standard mathematical and statistical sense, avoiding the 
common use of 'uncorrelated' to mean 'statistically inde- 
pendent' by many physicists. 

Indeed, if there is already a good experimental demon- 
stration of a complete Bell measurement over a single pair 
of single-photon qubits, there is none on 3-qubit systems. 
Generally, we use capitals to denote a random variable 
and lowercases to denote a specific value it takes, al- 
though the distinction may not be necessary dependent 
on context. 

We often use k instead of k' for values of K' to simplify 
notation, which should not cause confusion. 
Note that this possibility only obtains under our perfor- 
mance bounding assumption that E has a whole copy, 
which would not occur in practice without E disrupting 
the protocol so much that it would be aborted during 
key verification - see section III.F and III.G. Neverthe- 
less, it demonstrates that it is sometimes possible for E 
to obtain a lot more information by collective rather than 
independent processing. 

Similarly in BB84, joint classical processing on individ- 
ual qubit measurements may be used to exploit the over- 
all correlation between bits to optimize E's information 
through the error correction information announced pub- 
licly. As to be discussed further later, this has not been 
properly accounted for in the security analysis in the lit- 
erature for both individual and joint attacks. 
This is the Kerckhoff 's Principle in cryptography which 
states that only the shared secret key can be assumed 
unknown to an attacker. 

In some KCQ implementations, in particular the ones on 
qumodes reported in [l^ IT^ , K' is open to partial ob- 
servation. Then direct complexity-based security obtains 
from the need to inverting such imprecise K' to K. 
Note that there is no need to know k to be able to corre- 
late data bits through its repeated use. For example, in 
two uses of one time pad xi (B k,X2 (B k on two random 
data bits xi and X2, we know xi ® X2 without know- 
ing k. Indeed, no information on k is obtained from the 
observation of a;i © fc and X2 (B k. 

We use the term 'conventional cryptography' to denote 
the situation where E and B have the same observation. 
Ye ~ Yb = F. It is distinguished from classical noise 
cryptography and from quantum cryptography. 
In general, one may ignore insecurity claims against the 
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security of a protocol that arc made for reasons not in- 
trinsic to the protocol, e.g., that a shared secret key is 
not really secret. Such a claim is common to all proto- 
cols, which always require some common secrecy between 
two users, say for agent authentication, that distinguishes 
them from other parties. Similarly, the record of a secret 
key in KCQ schemes can be assumed safeguarded or 'de- 
stroyed', as the situation is different from that of a public 
key distribution center which needs to use the public key 
repeatedly. 

[83] Note that this description is neither the Schrodinger nor 
the Heisenberg picture, but is more convenient in prob- 



lems of quantum system analysis. 
[84] While only I am responsible for the assertions in this Ap- 
pendix, they are made after extensive discussion in our 
group that include also G.M. D'Ariano, W.-Y. Hwang, 
R. Nair, and M. Raginsky who made important contri- 
butions and clarifications that make the writing of this 
Appendix possible. I also benefited from exchanges with 
M. Haniada, H.-K. Lo, and N. Liitkenhaus. I hope this 
Appendix would stimulate serious exchanges, and that it 
would be replaced by separate papers in the future. 



